Users who use the plugin KeePassRPC have installed the password manager KeePass Linking to your web browser via the Kee browser extension should be done immediately update to KeePassRPC 1.12.1. Critical vulnerabilities in all previous versions of the plugin could be misused by attackers to read all passwords from open KeePass databases.
For a successful attack, a developer writes in one Security notice about the KeePassRPC vulnerabilities, a visit to a specially prepared website with one of the browsers in which the Kee extension installed. Sometimes there is not even a visible indication of the exploit that is currently taking place or has taken place.
Proof-of-concept code of the discoverers of the gaps already exists. Nothing is known about active attacks yet; However, the plugin developer recommends an immediate update in view of the severity of the gaps. Technical details on the gaps (based on inadequate validation mechanisms and inadequate random number generation) can be found in the security advisory.
Manual update necessary
Since KeePass does not carry out automatic updates, users of the plugin must update them themselves. Existing old ones KeePassRPC.plgxVersions on the system must be replaced immediately with the current version.
The developer emphasizes in the security notice that these are not security holes in Kee itself. In addition, users who save their passwords exclusively in Kee Vault are not affected. The same naturally also applies to KeePass users who have not linked the password manager to the browser or Kee at all.
KeePassRPC 1.12.1 is available for download from GitHub. In addition there is a detailed English language Step-by-step instructions for upgrading.