Is CVE-2023-24055 applicable to other password managers using the same format as the original KeePass?
https://security.stackexchange.com/questions/268291/is-cve-2023-24055-applicable-to-other-password-managers-using-the-same-format-as
#passwordmanagement #keepass #cve
KeePassXC and KeePassDX are unaffected by CVE-2023-24055
@phoerious
"KeePassXC is not affected, because it doesn't support triggers."
https://github.com/keepassxreboot/keepassxc/issues/9041#issuecomment-1408260822
Jérémy Jamet, maintainer of KeePassDX said similar:
"CVE-2023-24055 has absolutely nothing to do with KeePassDX so no debate to have here.
It uses a trigger function of the KeePass PC XML program. KeePassDX does not use an internal configuration file, does not have a trigger and uses another OS that does not have the same constraints.
And even if there was this kind of function, it would require, as it is indicated, access to the application file system, that's why it is DISPUTED. Dominik explains the subject well here: https://keepass.info/help/kb/sec_issues.html
If the attacker has write access to the configuration file, you already have other problems. If this is the case, nothing prevents the malicious person from using other methods to recover all the contents of your PC and all the encrypted contents when you open an encrypted area."
https://github.com/Kunzisoft/KeePassDX/issues/1497#issuecomment-1410787964
