CVE-2023-41646 — Buttercup allows attackers to obtain the hash of the master password

Description

Buttercup allows attackers to obtain the hash of the master password for the password manager via accessing the file /vaults.json/. This affects the Buttercup app up to version 2.20.3.

How to fix CVE-2023-41646

To remediate CVE-2023-41646, upgrade the affected package to a fixed version below.

npm/buttercup—upgrade to 7.4.0 or later

Is CVE-2023-41646 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2.20.3, < 7.4.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-41646
PATCHgithub.com/buttercup/buttercup-core
WEBbuttercup.pw
WEBgithub.com/buttercup/buttercup-core/commit/77fbcdfe4caf57486a3c83c07fc6d36bb0e1d3e1
WEB