• henfredemars@infosec.pub
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    I have to agree with the reasoning. As a very interested user of KeePass, a CVE took my attention, and I do a lot of security research as part of my job.

    I don’t think this should qualify as a CVE because it’s so close to assuming the conclusion that it’s effectively not a vulnerability. If you have a local attacker with arbitrary memory access, your password is in all likelyhood already owned.

    It’s nearly the argument that a locally authenticated user could modify my bash.rc to alias sudo and steal my password. Of course, I know him; he’s me!