CVE-2024-45394
HIGH EPSS 0.5%
Published Sep 3, 20241y ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
Published Sep 3, 2024 1y ago
Last Modified Jun 17, 2026 2w ago
Description
Authenticator is a browser extension that generates two-step verification codes. In versions 7.0.0 and below, encryption keys for user data were stored encrypted at-rest using only AES-256 and the EVP_BytesToKey KDF. Therefore, attackers with a copy of a user's data are able to brute-force the user's encryption key. Users on version 8.0.0 and above are automatically migrated away from the weak encoding on first login. Users should destroy encrypted backups made with versions prior to 8.0.0.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
0.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 3
CWE-261
CWE-326
CWE-327
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| authenticator | authenticator | * | <8.0.0 |
References 2
- github.com https://github.com/Authenticator-Extension/Authenticator/commit/17aa2068553db3c3aac081c9ffe393536f33b28b
- github.com https://github.com/Authenticator-Extension/Authenticator/security/advisories/GHSA-gv8m-vgp8-q2xr
Remediation
- github.com https://github.com/Authenticator-Extension/Authenticator/commit/17aa2068553db3c3aac081c9ffe393536f33b28b