CVE-2023-36266

Name of the Vulnerable Software and Affected Versions Keeper Password Manager for Desktop version 16.10.2 KeeperFill Browser Extensions version 16.5.4

Description An issue allows local attackers to gain sensitive information via plaintext password storage in memory after the user is already logged in, and may persist after logout. The vendor disputes this, stating that the information is inherently available during a logged-in session when the attacker can read from arbitrary memory locations, and information only remains available after logout because of memory-management limitations of web browsers.

Recommendations For Keeper Password Manager for Desktop version 16.10.2, consider updating to a newer version that addresses the plaintext password storage issue. For KeeperFill Browser Extensions version 16.5.4, consider updating to a newer version that addresses the plaintext password storage issue. As a temporary workaround, consider restricting access to sensitive information while logged in to minimize the risk of exploitation.