Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03Y3dxLXA4Y3ItaDlxZ84AA1wt
Buttercup allows attackers to obtain the hash of the master password
Buttercup allows attackers to obtain the hash of the master password for the password manager via accessing the file /vaults.json/.
This affects the Buttercup app up to version 2.20.3.
Permalink: https://github.com/advisories/GHSA-7cwq-p8cr-h9qgJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03Y3dxLXA4Y3ItaDlxZ84AA1wt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 8 months ago
Updated: 5 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-7cwq-p8cr-h9qg, CVE-2023-41646
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-41646
- https://buttercup.pw/
- https://github.com/tristao-marinho/CVE-2023-41646/
- https://github.com/buttercup/buttercup-core/issues/336
- https://github.com/buttercup/buttercup-core/commit/77fbcdfe4caf57486a3c83c07fc6d36bb0e1d3e1
- https://github.com/advisories/GHSA-7cwq-p8cr-h9qg
Blast Radius: 8.7
Affected Packages
npm:buttercup
Dependent packages: 20Dependent repositories: 44
Downloads: 917 last month
Affected Version Ranges: >= 2.20.3, < 7.4.0
Fixed in: 7.4.0
All affected versions: 3.0.0, 4.0.0, 4.1.0, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.4.0, 4.4.1, 4.5.0, 4.5.1, 4.6.0, 4.7.0, 4.7.1, 4.8.0, 4.8.1, 4.8.2, 4.9.0, 4.9.1, 4.9.2, 4.10.0, 4.11.0, 4.11.1, 4.12.0, 4.13.0, 4.13.1, 5.0.0, 5.0.1, 5.1.0, 5.2.0, 5.2.1, 5.3.0, 5.3.1, 5.4.0, 5.5.0, 5.6.0, 5.6.1, 5.6.2, 5.7.0, 5.8.0, 5.9.0, 5.9.1, 5.10.0, 5.11.0, 5.12.0, 5.12.1, 5.12.2, 5.13.0, 5.13.1, 6.0.0, 6.1.0, 6.2.0, 6.3.0, 6.4.0, 6.5.0, 6.6.0, 6.7.0, 6.8.0, 6.8.1, 6.8.2, 6.9.0, 6.9.1, 6.10.0, 6.11.0, 6.12.0, 6.13.0, 6.13.1, 6.14.0, 6.15.0, 6.15.1, 6.15.2, 6.15.3, 6.16.0, 6.16.1, 6.16.2, 6.16.3, 6.16.4, 6.16.5, 6.17.0, 6.17.1, 6.17.2, 7.0.0, 7.1.0, 7.1.1, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.3.0
All unaffected versions: 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.7.0, 0.8.0, 0.8.1, 0.9.0, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.12.0, 0.12.1, 0.12.2, 0.13.0, 0.14.0, 0.15.0, 0.15.1, 0.16.0, 0.17.0, 0.18.0, 0.19.0, 0.20.0, 0.20.1, 0.21.0, 0.22.0, 0.23.0, 0.24.0, 0.25.0, 0.26.0, 0.27.0, 0.28.0, 0.29.0, 0.30.0, 0.30.2, 0.31.0, 0.32.0, 0.33.0, 0.33.1, 0.33.2, 0.34.0, 0.35.0, 0.36.0, 0.37.0, 0.37.1, 0.38.0, 0.38.1, 0.39.0, 0.39.1, 0.40.0, 0.40.1, 0.41.0, 0.41.1, 0.41.2, 0.42.0, 0.42.1, 0.43.0, 0.44.1, 0.45.0, 0.46.0, 0.47.0, 0.48.0, 0.49.0, 0.50.0, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.7.0, 2.8.0, 2.8.1, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.11.0, 2.12.0, 2.13.0, 2.14.0, 2.15.0, 2.15.1, 2.15.2, 2.15.3, 2.15.4, 2.16.0, 2.16.1, 7.4.0, 7.5.0, 7.6.0, 7.7.0