Use of a broken or risky cryptographic algorithm in Dropbox for Windows - CVE-2019-12171

 

Use of a broken or risky cryptographic algorithm in Dropbox for Windows - CVE-2019-12171

Published: July 8, 2019 / Updated: August 8, 2020


Vulnerability identifier: #VU35750
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2019-12171
CWE-ID: CWE-327
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Dropbox
Affected software:
Dropbox for Windows

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Dropbox.exe (and QtWebEngineProcess.exe in the Web Helper) in the Dropbox desktop application 71.4.108.0 store cleartext credentials in memory upon successful login or new account creation. These are not securely freed in the running process.


How to mitigate CVE-2019-12171

Install update from vendor's website.

Sources