CVE-2020-11005

EPSS 0.02%
Published 14.04.2020 23:15:12
Last modified 21.11.2024 04:56:33
Source security-advisories@github.com
Teams watchlist Login
Open Login

The WindowsHello open source library (NuGet HaemmerElectronics.SeppPenner.WindowsHello), before version 1.0.4, has a vulnerability where encrypted data could potentially be decrypted without needing authentication. If the library is used to encrypt text and write the output to a txt file, another executable could be able to decrypt the text using the static method NCryptDecrypt from this same library without the need to use Windows Hello Authentication again. This has been patched in version 1.0.4.

Affected products Warnungen 0 Metrics 4 CWE 2 References 5

Data is provided by the National Vulnerability Database (NVD)

Windowshello Project ≫ Windowshello Version < 1.0.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.02%	0.027

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	2.1	3.9	2.9	AV:L/AC:L/Au:N/C:P/I:N/A:N
security-advisories@github.com	5.1	1.4	3.6	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-288 Authentication Bypass Using an Alternate Path or Channel

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

CWE-327 Use of a Broken or Risky Cryptographic Algorithm

The product uses a broken or risky cryptographic algorithm or protocol.

https://github.com/SeppPenner/WindowsHello/issues/3

Third Party Advisory

Issue Tracking

https://github.com/SeppPenner/WindowsHello/security/advisories/GHSA-wvpv-ffcv-r6cw

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-11005

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-11005

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-11005

EUVD