CVE-2021-23827

EUVD-2021-10755
Keybase Desktop Client before 5.6.0 on Windows and macOS, and before 5.6.1 on Linux, allows an attacker to obtain potentially sensitive media (such as private pictures) in the Cache and uploadtemps directories. It fails to effectively clear cached pictures, even after deletion via normal methodology within the client, or by utilizing the "Explode message/Explode now" functionality. Local filesystem access is needed by the attacker.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 10%
Affected Products (NVD)
VendorProductVersion
keybasekeybase
𝑥
< 5.6.0
keybasekeybase
𝑥
< 5.6.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/keybase/client/releases
https://hackerone.com/reports/1074930
https://johnjhacking.com/blog/cve-2021-23827/
https://github.com/keybase/client/releases
https://hackerone.com/reports/1074930
https://johnjhacking.com/blog/cve-2021-23827/