CVE-2021-23827 Information

Description

Keybase Desktop Client before 5.6.0 on Windows and macOS and before 5.6.1 on Linux allows an attacker to obtain potentially sensitive media (such as private pictures) in the Cache and uploadtemps directories. It fails to effectively clear cached pictures even after deletion via normal methodology within the client or by utilizing the \Explode message/Explode now\ functionality. Local filesystem access is needed by the attacker.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Reference

https://github.com/keybase/client/releases https://johnjhacking.com/blog/cve-2021-23827/ https://hackerone.com/reports/1074930

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

5.5