CVE-2024-45394

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-45394
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-45394.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-45394
Aliases
  • GHSA-gv8m-vgp8-q2xr
Published
2024-09-03T21:15:16Z
Modified
2024-09-05T01:42:17.953406Z
Summary
[none]
Details

Authenticator is a browser extensions that generates two-step verification codes. In versions 7.0.0 and below, encryption keys for user data were stored encrypted at-rest using only AES-256 and the EVP_BytesToKey KDF. Therefore, attackers with a copy of a user's data are able to brute-force the user's encryption key. Users on version 8.0.0 and above are automatically migrated away from the weak encoding on first login. Users should destroy encrypted backups made with versions prior to 8.0.0.

References

Affected packages

Git / github.com/authenticator-extension/authenticator

Affected ranges

Type
GIT
Repo
https://github.com/authenticator-extension/authenticator
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v5.*

v5.0.10
v5.0.2-pre-release
v5.0.3-pre-release
v5.0.4
v5.0.5
v5.0.6
v5.0.7
v5.0.8
v5.0.9
v5.1.0
v5.1.1
v5.2.0
v5.2.1
v5.2.2
v5.3.0
v5.3.1
v5.3.2

v6.*

v6.0.0
v6.0.1
v6.1.0
v6.2.0
v6.2.1
v6.3.0
v6.3.1
v6.3.2
v6.3.3
v6.3.4