CVE-2020-11005 – haemmerelectronics.sepppenner.windowshello

Package

Manager: nuget
Name: haemmerelectronics.sepppenner.windowshello
Vulnerable Version: >=0 <1.0.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00019 pctl0.03437

Details

Internal NCryptDecrypt method could be used externally from WindowsHello library. ### Impact Every user of the library before version 1.0.4. ### Patches Patched in 1.0.4+. ### Workarounds None. ### References https://github.com/SeppPenner/WindowsHello/issues/3 ### For more information It this library is used to encrypt text and write the output to a txt file, another executable could be able to decrypt the text using the static method NCryptDecrypt from this same library without the need to use Windows Hello Authentication again.

Metadata

Created: 2020-04-14T23:09:13Z
Modified: 2021-01-08T20:22:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-wvpv-ffcv-r6cw/GHSA-wvpv-ffcv-r6cw.json
CWE IDs: ["CWE-288"]
Alternative ID: GHSA-wvpv-ffcv-r6cw
Finding: F115
Auto approve: 1