Home > Vulnerability Database > CVE-2024-45394

Mend.io Vulnerability Database

CVE-2024-45394

Date: September 3, 2024

Authenticator is a browser extensions that generates two-step verification codes. In versions 7.0.0 and below, encryption keys for user data were stored encrypted at-rest using only AES-256 and the EVP_BytesToKey KDF. Therefore, attackers with a copy of a user's data are able to brute-force the user's encryption key. Users on version 8.0.0 and above are automatically migrated away from the weak encoding on first login. Users should destroy encrypted backups made with versions prior to 8.0.0.

Language: TYPE_SCRIPT

Severity Score

8.8

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-45394

Url: https://github.com/Authenticator-Extension/Authenticator/commit/17aa2068553db3c3aac081c9ffe393536f33b28b

Url: https://github.com/Authenticator-Extension/Authenticator/security/advisories/GHSA-gv8m-vgp8-q2xr

Url: https://www.mend.io/vulnerability-database/CVE-2024-45394

Severity Score

8.8

Weakness Type (CWE)

Inadequate Encryption Strength

CWE-326

Use of a Broken or Risky Cryptographic Algorithm

CWE-327

Weak Encoding for Password

CWE-261

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-45394

Date: September 3, 2024

Language: TYPE_SCRIPT

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?