Version v7.5.12 (Stable)
With KeePass Client v7.5.9
Release Date
Aug 29th, 2016
These Release Notes detail the differences between this release and the last Stable version (7.5.11).
For information about the "Latest" versions in between, see Older And In-between Versions.
Security
- Vulnerability Patch
- Summary:
- Confidential information could be made available to unauthorized users by entering particular values into the system.
- Requirements:
- Unauthorized individual (attacker) would first require a Password Server account and access to create or edit credentials in order to insert values.
- Then a more privileged user would have to navigate to particular places in the Password Server Web Client.
- Scope of Impact:
- Attacker would have to be technically competent and already have access to an authorized account on the Password Server.
- Attacks of this nature are easily identifiable and can be traced to the culprit using Password Server's auditing and history features.
- Status:
- This vulnerability has been fixed in this release.
- Companies will be given 2 months to deploy this patch, before more specific information regarding the vulnerability is revealed.
- Update:
- Specific to the web client only, an explicitly authorized user could enter malicious code into certain fields in credentials and administrative areas of the web client which could potentially perform unexpected operations when another privileged user were to browse to particular areas where that field entry is used and displayed.
These type of entries are obvious to spot. After upgrading to version 7.5.12 or higher, they can be ignored without harm or can be deleted.
All use of the KeePass client for credential access would not be vulnerable.
This issue was discovered during security tests, there have been no reports of it effecting an environment in production.
- Specific to the web client only, an explicitly authorized user could enter malicious code into certain fields in credentials and administrative areas of the web client which could potentially perform unexpected operations when another privileged user were to browse to particular areas where that field entry is used and displayed.
- Versions Affected: 7.0.1 - 7.5.11
- Summary:
Improvements
- Various UI improvements and fixes.
Bug Fixes
- Fixed an issue in the Directory Group data migration from previous versions of Password Server
Compatibility Notes
- KeePass Clients v6.0.1 and older will not be able to perform actions that require usage comments, although other functions will continue working. Upgrade the client installations.
- Internet Explorer 8 is no longer supported in Password Server Version ≥ 7.0.1.