CVE-2021-23827

Published: Feb 23, 2021Modified: Nov 21, 2024

5.5

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

Keybase Desktop Client before 5.6.0 on Windows and macOS, and before 5.6.1 on Linux, allows an attacker to obtain potentially sensitive media (such as private pictures) in the Cache and uploadtemps directories. It fails to effectively clear cached pictures, even after deletion via normal methodology within the client, or by utilizing the "Explode message/Explode now" functionality. Local filesystem access is needed by the attacker.

Affected (2)

Products: Keybase: Keybase

1 product

Configuration A

1 vulnerable · 2 platform

Vulnerable Software	Affected Versions
Keybase Keybase	Before 5.6.0

Running on/with	Platform Versions
Apple Macos	All versions
Microsoft Windows	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Keybase Keybase	Before 5.6.1

Running on/with	Platform Versions
Redhat Linux	All versions

Related CWEs

Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

References (6)

https://github.com/keybase/client/releases

Source: cve@mitre.org

Release NotesThird Party Advisory

https://hackerone.com/reports/1074930

Source: cve@mitre.org

ExploitIssue TrackingThird Party Advisory

https://johnjhacking.com/blog/cve-2021-23827/

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/keybase/client/releases

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://hackerone.com/reports/1074930

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

https://johnjhacking.com/blog/cve-2021-23827/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.