A new KeePass vulnerability has recently been disclosed which makes it possible to recover the master password even when the program is closed. The vulnerability is CVE-2023-3278 and a simple proof of concept tool has been released that can be used to dump the master password from KeePass’s memory. The recovered password is missing the first character, but is otherwise in clear text. The vulnerability affects the latest version of KeePass, which is version 2.53.1. The fix will be in version 2.5.4 which is scheduled to be available in the beginning of June. If you’re using KeePass, you should restart your computer, clear your computer’s swap file and hibernation files, and not use KeePass until the fixed version is released.
https://github.com/vdohney/keepass-password-dumper
This segment was created for the It’s 5:05 podcast