Also vulnerable when using master password + key file?

[wouterVE]

I cannot find an answer for this on this page nor on this sourgeforge thread discussing this vulnerability so:

Is this vulnerability also exploitable when using a key file together with your master passord?

I've tried this PoC on 2 databases I use, both having a key file. It returned some random letters and numbers, nothing related with my password. The databases are created using an older version of Keepass tough (don't know which, but must be several years ago).

Afterwards, I created a new password (using 2.53.1) using only a master password and I was able to decrypt it using this PoC.

Thanks for clarification

[vdohney]

The key file is unrelated to this. If you have it stored somewhere else than your computer, like a flash drive, then you are probably ok. I haven't done any analysis though. In general, if the attacker only has your password but not the key file, they shouldn't be able to decrypt your DB.

For issue relating the old DB (separate) please post here: #4 - especially if you would happen to remember the particular version you created the DB with. Unfortunately, I am still unable to reproduce it.