CVE-2023-32784 : is KeepassXC affected ?

[ospring]

CVE-2023-32784 (https://www.it-connect.fr/keepass-cve-2023-32784-recuperer-mot-de-passe/?utm_content=cmp-true) seems to affect the original client on windows. Is KeepassXC affected as it is written with an other language ?

[droidmonkey]

Based on this attack requirement, we are not vulnerable:

KeePass 2.X uses a custom-developed text box for password entry, SecureTextBoxEx. This text box is not only used for the master password entry, but in other places in KeePass as well, like password edit boxes (so the attack can also be used to recover their contents).

The flaw exploited here is that for every character typed, a leftover string is created in memory. Because of how .NET works, it is nearly impossible to get rid of it once it gets created. For example, when "Password" is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d. The POC application searches the dump for these patterns and offers a likely password character for each position in the password.

[ospring]

Thank you for these explanations.

[phoerious]

See also our blog post from 2019: https://keepassxc.org/blog/2019-02-21-memory-security/