CVE-2024-45394

Secret encryption vulnerable to brute-force attacks

Description

Authenticator is a browser extension that generates two-step verification codes. In versions 7.0.0 and below, encryption keys for user data were stored encrypted at-rest using only AES-256 and the EVP_BytesToKey KDF. Therefore, attackers with a copy of a user's data are able to brute-force the user's encryption key. Users on version 8.0.0 and above are automatically migrated away from the weak encoding on first login. Users should destroy encrypted backups made with versions prior to 8.0.0.

Categories

8.8
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.01%
Vendor Advisory github.com
Affected: Authenticator-Extension Authenticator
Published at:
Updated at:

References

Link Tags
https://github.com/Authenticator-Extension/Authenticator/security/advisories/GHSA-gv8m-vgp8-q2xr vendor advisory
https://github.com/Authenticator-Extension/Authenticator/commit/17aa2068553db3c3aac081c9ffe393536f33b28b patch

Frequently Asked Questions

What is the severity of CVE-2024-45394?
CVE-2024-45394 has been scored as a high severity vulnerability.
How to fix CVE-2024-45394?
To fix CVE-2024-45394, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-45394 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-45394 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-45394?
CVE-2024-45394 affects Authenticator-Extension Authenticator.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.