- Passwordstate's latest version patches an authentication bypass flaw
- It could be abused to access the Passwordstate Administration section without authentication
- There are workarounds, too
Passwordstate, an enterprise-grade password manager tailored for organizations and IT and security teams, is urging users to update their instances to the newest version and mitigate risks of potential authentication bypass attacks.
“Today we have released build 9972, which includes 2 security updates,” Click Studios, the company behind Passwordstate, said in its security advisory. “We recommend customers upgrade as soon as possible.”
The changelog for Passwordstate 9.9 - Build 9972, talks about a “potential authentication bypass when using a carefully crafted URL against the core Passwordstate Products’ Emergency Access page”.
Workarounds and mitigations
The CVE ID for the vulnerability is currently pending, so we don’t know the severity at the moment, but we do know that exploiting it allows threat actors to gain access to the Passwordstate Administration section. Depending on how easy it is to pull off, the severity score could be quite high.
Speaking to BleepingComputer, Click Studios also said there was a workaround for those who cannot patch that fast: "The only partial work around for this is to set the Emergency Access Allowed IP Address for your webserver under System Settings->Allowed IP Ranges. This is a short term partial fix and Click Studios strongly recommends that all customers upgrade to Passwordstate Build 9972 as soon as possible."
Passwordstate is a secure password vault used to store, organize, and control passwords, API keys, certificates, and other secrets. It is primarily an on-prem solution, although cloud-based options are available, as well. It is praised for its enterprise-level functionality and affordability versus higher-priced PAM tools, but also criticized for its steeper technical learning curve, setup, server requirements, and UI complexity.
Click Studios claims it is used by more than 370,000 users working in 29,000 companies, including government agencies, financial institutions, global enterprises, Fortune 500 companies, and others.
Via BleepingComputer
You might also like
- Hackers are distributing a cracked password manager that steals data, deploys ransomware
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
