Security Advisories
Keeper Connection Manager Security Advisories
Vulnerability Disclosure Program
Keeper has partnered with Bugcrowd to manage our vulnerability disclosure program. Please submit reports through https://bugcrowd.com/keepersecurity or send an email to security@keepersecurity.com.
| Severity (CVSS v3.1 score) | CVE ID | Description | Fixed in Keeper Connection Manager (or legacy Glyptodon) Release |
|---|---|---|---|
Low (1.8) | CVE-2020-9497 | Improper input validation of RDP static virtual channels | 1.13, 2.1 |
Medium (5.9) | CVE-2020-9498 | Dangling pointer in RDP static virtual channel handling | 1.13, 2.1 |
Medium (4.1) | CVE-2020-11997 | Inconsistent restriction of connection history visibility | 1.14, 2.2 |
Medium (4.4) | CVE-2021-41767 | Private tunnel identifier may be included in the non-private details of active connections | 1.16, 2.6 |
High (8.7) | CVE-2021-43999 | Improper validation of SAML responses | 2.7 |
Severity rating scale
Keeper Connection Manager evaluates the factual details of each known vulnerability affecting Keeper Connection Manager and assigns severity ratings using the CVSS v3.1 scoring system, a standard owned by FIRST.Org, Inc. which FIRST has made freely available for public use. This scoring system produces a numeric rating between 0.0 and 10.0, which we then classify according to the "Qualitative Severity Rating Scale" published with the CVSS standard. The specific analysis that went into each assigned score can also be found within the document specific to the vulnerability, linked within the main table above.
| Severity | CVSS score range |
|---|---|
None | 0.0 |
Low | 0.1 - 3.9 |
Medium | 4.0 - 6.9 |
High | 7.0 - 8.9 |
Critical | 9.0 - 10.0 |
Last updated