Authenticator
CVE-2024-45394
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Authenticator is a browser extension that generates two-step verification codes. In versions 7.0.0 and below, encryption keys for user data were stored encrypted at-rest using only AES-256 and the EVP_BytesToKey KDF. Therefore, attackers with a copy of a user's data are able to brute-force the user's encryption key. Users on version 8.0.0 and above are automatically migrated away from the weak encoding on first login. Users should destroy encrypted backups made with versions prior to 8.0.0.
AnalysisAI
Authenticator is a browser extension that generates two-step verification codes. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-261. Authenticator is a browser extension that generates two-step verification codes. In versions 7.0.0 and below, encryption keys for user data were stored encrypted at-rest using only AES-256 and the EVP_BytesToKey KDF. Therefore, attackers with a copy of a user's data are able to brute-force the user's encryption key. Users on version 8.0.0 and above are automatically migrated away from the weak encoding on first login. Users should destroy encrypted backups made with versions prior to 8.0.0. Affected products include: Authenticator. Version information: version 8.0.0.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Authenticator
View allUnder certain conditions SAP Authenticator for Android allows an attacker to access information which would otherwise be
Microsoft Authenticator Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.1), this vulnerability is no a
An improper authentication vulnerability has been reported to affect QNAP Authenticator. If an attacker gains physical a
SAP Authenticator for Android - version 1.3.0, allows the screen to be captured, if an authorized attacker installs a ma
pam_google_authenticator.c in the PAM module in Google Authenticator before 1.0 requires user-readable permissions for t
Microsoft Authenticator contains an information disclosure vulnerability that allows local attackers to access sensitive
Same weakness CWE-261 – Weak Encoding for Password
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today