- The latest version of passwordstate patch an authentication omission failure
- It could be abused by accessing the administration of the password without authentication
- There are also solutions
Passwordstate, a business password administrator adapted for IT and security organizations and equipment, urges users to update their instances to the most recent version and mitigate the risks of possible authentication derivation attacks.
“Today we have launched Build 9972, which includes 2 security updates,” said Click Studios, the company behind Passwordstate, in its security warning. “We recommend customer update as soon as possible.”
The Changelog for Password State 9.9 – Build 9972, talks about an “authentication authentication potential when using a carefully made URL against the emergency access page of Passwordstate de Core products.”
Solutions and mitigations
The CVE ID for vulnerability is currently pending, so we do not know the gravity at this time, but we do know that exploiting it allows the threat actors to access the administration section of the password. Depending on how easy it is to achieve, the gravity score could be quite high.
In statements to Bleepingcompter, Click Studios also said that there was a solution for those who cannot patch so fast: “The only partial work for this is to establish the IP address allowed emergency access for its web server in system configuration:> The IP permitted ranges. This is a partial short -term fixation and click Studios firmly recommend that all customers update the Build 9972 possible”. “
Passwordstate is a safe password vault used to store, organize and control passwords, API keys, certificates and other secrets. It is mainly a solution in Lalo, although cloud -based options are also available. It is praised for its functionality and affordability of business level versus PAM tools of greater price, but also criticized by its most pronounced technical learning curve, configuration, server requirements and complexity of the user interface.
Click Studios states that it is used by more than 370,000 users working in 29,000 companies, including government agencies, financial institutions, global companies, Fortune 500 companies and others.
Through Bleepingcomputer
