Use of a broken or risky cryptographic algorithm in Dropbox for Windows



Published: 2019-07-08 | Updated: 2020-08-08
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-12171
CWE-ID CWE-327
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Dropbox for Windows
Client/Desktop applications / File managers, FTP clients

Vendor Dropbox

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Use of a broken or risky cryptographic algorithm

EUVDB-ID: #VU35750

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-12171

CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Dropbox.exe (and QtWebEngineProcess.exe in the Web Helper) in the Dropbox desktop application 71.4.108.0 store cleartext credentials in memory upon successful login or new account creation. These are not securely freed in the running process.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dropbox for Windows: 71.4.108.0

External links

http://drive.google.com/open?id=1DCGurwRTu0HsUpTglVR0jgItZNqqDm_5
http://drive.google.com/open?id=1msz6pb08crPC0VT7s_Z_KTsKm9CbLJEXNsmRwzoNLy8


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###