Skip to content

Insecure Credential Storage in web3

Low severity GitHub Reviewed Published May 30, 2019 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm web3 (npm)

Affected versions

<= 1.5.2

Patched versions

None

Description

All versions of web3 are vulnerable to Insecure Credential Storage. The package stores encrypted wallets in local storage and requires a password to load the wallet. Once the wallet is loaded, the private key is accessible via LocalStorage. Exploiting this vulnerability likely requires a Cross-Site Scripting vulnerability to access the private key.

Recommendation

No fix is currently available. Consider using an alternative module until a fix is made available.

References

Reviewed May 30, 2019
Published to the GitHub Advisory Database May 30, 2019
Last updated Jan 9, 2023

Severity

Low
3.3
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-27v7-qhfv-rqq8

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.