Passwordstate users should patch this auth bypass vulnerability immediately, company says

News
By published

There is a workaround for those unable to patch, too

Shadowed hands on a digital background reaching for a login prompt.
Image Credit: Shutterstock (Image credit: Shutterstock)
  • Passwordstate's latest version patches an authentication bypass flaw
  • It could be abused to access the Passwordstate Administration section without authentication
  • There are workarounds, too

Passwordstate, an enterprise-grade password manager tailored for organizations and IT and security teams, is urging users to update their instances to the newest version and mitigate risks of potential authentication bypass attacks.

“Today we have released build 9972, which includes 2 security updates,” Click Studios, the company behind Passwordstate, said in its security advisory. “We recommend customers upgrade as soon as possible.”

The changelog for Passwordstate 9.9 - Build 9972, talks about a “potential authentication bypass when using a carefully crafted URL against the core Passwordstate Products’ Emergency Access page”.

Workarounds and mitigations

The CVE ID for the vulnerability is currently pending, so we don’t know the severity at the moment, but we do know that exploiting it allows threat actors to gain access to the Passwordstate Administration section. Depending on how easy it is to pull off, the severity score could be quite high.

Speaking to BleepingComputer, Click Studios also said there was a workaround for those who cannot patch that fast: "The only partial work around for this is to set the Emergency Access Allowed IP Address for your webserver under System Settings->Allowed IP Ranges. This is a short term partial fix and Click Studios strongly recommends that all customers upgrade to Passwordstate Build 9972 as soon as possible."

Passwordstate is a secure password vault used to store, organize, and control passwords, API keys, certificates, and other secrets. It is primarily an on-prem solution, although cloud-based options are available, as well. It is praised for its enterprise-level functionality and affordability versus higher-priced PAM tools, but also criticized for its steeper technical learning curve, setup, server requirements, and UI complexity.

Click Studios claims it is used by more than 370,000 users working in 29,000 companies, including government agencies, financial institutions, global enterprises, Fortune 500 companies, and others.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.