CVE-2024-45394

CVSS V2 None CVSS V3 None

Description

Authenticator is a browser extensions that generates two-step verification codes. In versions 7.0.0 and below, encryption keys for user data were stored encrypted at-rest using only AES-256 and the EVP_BytesToKey KDF. Therefore, attackers with a copy of a user's data are able to brute-force the user's encryption key. Users on version 8.0.0 and above are automatically migrated away from the weak encoding on first login. Users should destroy encrypted backups made with versions prior to 8.0.0.

Overview

CVE ID
CVE-2024-45394

Assigner
GitHub_M

Vulnerability Status
PUBLISHED

Published Version
2024-09-03T20:15:42.769Z

Last Modified Date
2024-09-03T20:49:37.246Z

Weakness Enumerations

CWE	URL
CWE-261	http://cwe.mitre.org/data/definitions/261.html
CWE-327	http://cwe.mitre.org/data/definitions/327.html

References

Reference URL	Reference Tags
https://github.com/Authenticator-Extension/Authenticator/security/advisories/GHSA-gv8m-vgp8-q2xr	x_refsource_CONFIRM
https://github.com/Authenticator-Extension/Authenticator/commit/17aa2068553db3c3aac081c9ffe393536f33b28b	x_refsource_MISC

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-45394
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45394

History

Created	Old Value	New Value	Data Type	Notes
2024-09-04 13:09:55				Added to TrackCVE