February 02, 2023
What this KeePass CVE means for organizations searching for new password vaults
Written by
Carlos Perez
Research
Security Program Assessment
Vulnerability Assessment
After the 2022 LastPass breach, many organizations began searching for alternative password vault solutions. KeePass, a legacy open-source option has risen to the top for many organizations evaluating their options. Others have been using this option already for years. A recent POC demonstrating who to abuse the Trigger feature was released and assigned a CVE. While the KeePass developers are contesting the assignment of the CVE, we thought it would be valuable to break down exactly how the attack works and the risk it poses.
POC: https://github.com/alt3kx/CVE-2023-24055_PoC
KeePass Discussion: https://sourceforge.net/p/keepass/discussion/329220/thread/a146e5cf6b/