New Release: v3.12.2

v3.12.2 ~ Stille Einfuegen

Release date: April 26th 2023.

:musical_note: Stille Einfugen :musical_note:

:heart: Thank you to all the Passbolt developers for keeping our passwords safe :partying_face: :tada::heart: :

This update for Pro and CE is a small security release of the API only. It addresses an information leak issue while creating a resource with encrypted description and misusing the API. A client could inadvertently insert an unencrypted version of the description along with its encrypted version in the database.

:memo: Release Notes: Pro

:memo: Release Notes: CE

:heart: If you enjoy Passbolt’s features and security, please show your support, write a review on the app, extension and webstore :star2::star2::star2::star2::star2: (chrome , firefox , edge , ios , android)

:heart: We welcome your feedback and invite you to show your support by adding a :star: on our GitHub API repo: GitHub - passbolt/passbolt_api: Passbolt CE Backend, a JSON API written with Cakephp .

1 Like

As a Passbolt self-hoster, can I somehow check for descriptions that are stored as both encrypted and plain text? I’d like to notify users about potentially compromised secrets.

And is there a way to safely remove the plain text part?

Prior to running the migrations you can see if you have resources that are affected by running:

select id, name from resources where description is NOT NULL and resource_type_id IN (select id from resource_types where slug = 'password-and-description');
1 Like

Running the migrations will cleanup the issue.

1 Like

Thank you!
I had to add and description <> '' too on mysql, but it seems I have no affected passwords.