perry-mitchell
commented
7 months ago The attached PR prevents Buttercup from writing the master password to any stringified credentials, which is what was written to ~/local/share/Buttercup-nodejs/vaults.json in the original CVE description. The credentials are never plain text, but once updated after this is released it will no longer be included in the payload.
Example: https://github.com/buttercup/buttercup-core/blob/master/source/core/VaultSource.ts#L267
Credentials, by design, currently stores the master password, when encrypted.This should be refactored so that it is no longer stored anywhere, at rest.
Source repo: https://github.com/tristao-marinho/CVE-2023-41646