CVE-2024-39846 identifies a security weakness in NewPass password management software versions prior to 1.2.0, where user passwords are stored directly in plaintext rather than as cryptographically hashed values. This practice violates standard security principles that mandate password hashing to protect against unauthorized access. Although the data at rest is encrypted, the passwords are decrypted in process memory during runtime, exposing them to potential memory scraping or other in-memory attacks. The vulnerability is classified under CWE-312 (Cleartext Storage of Sensitive Information). The CVSS v3.1 base score is 3.5, reflecting a low severity primarily because exploitation requires local access with low privileges, no user interaction, and only impacts confidentiality without affecting integrity or availability. No known exploits have been reported in the wild, and no official patches have been linked yet. The vulnerability increases risk if an attacker gains local access or can execute code to read process memory, potentially leading to unauthorized disclosure of sensitive credentials. This flaw underscores the critical need for secure password handling, including hashing with salts and minimizing plaintext exposure in memory.

The primary impact of this vulnerability is the potential unauthorized disclosure of user passwords, which can lead to credential compromise and subsequent unauthorized access to systems or services protected by those credentials. Since passwords are stored in plaintext and decrypted in memory, attackers with local access or the ability to perform memory inspection can extract these passwords. This could facilitate lateral movement within an organization, privilege escalation, or data breaches if attackers leverage the stolen credentials. However, the low CVSS score and requirement for local privileges limit the scope and ease of exploitation. Organizations relying on NewPass for password management may face increased risk of credential theft, especially if endpoint security is weak or if attackers have already gained some foothold. The vulnerability does not affect system integrity or availability directly but compromises confidentiality, which can have cascading effects on overall security posture.

To mitigate this vulnerability, organizations should upgrade NewPass to version 1.2.0 or later where passwords are properly hashed rather than stored in plaintext. Until an upgrade is possible, enforce strict access controls to limit local access to trusted users only and implement endpoint security measures to detect and prevent unauthorized memory access or code execution. Employ memory protection techniques such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) to reduce the risk of memory scraping. Regularly audit and monitor systems for suspicious activity indicative of memory inspection or credential theft attempts. Additionally, consider using hardware-based security modules or trusted execution environments to isolate sensitive operations. Educate users and administrators about the risks of plaintext password storage and the importance of secure password management practices. Finally, maintain up-to-date backups and incident response plans to quickly respond to any potential compromise.