Vulnerability Description
The WindowsHello open source library (NuGet HaemmerElectronics.SeppPenner.WindowsHello), before version 1.0.4, has a vulnerability where encrypted data could potentially be decrypted without needing authentication. If the library is used to encrypt text and write the output to a txt file, another executable could be able to decrypt the text using the static method NCryptDecrypt from this same library without the need to use Windows Hello Authentication again. This has been patched in version 1.0.4.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Windowshello Project | Windowshello | < 1.0.4 |
Related Weaknesses (CWE)
References
- https://github.com/SeppPenner/WindowsHello/issues/3Issue TrackingThird Party Advisory
- https://github.com/SeppPenner/WindowsHello/security/advisories/GHSA-wvpv-ffcv-r6Third Party Advisory
- https://github.com/SeppPenner/WindowsHello/issues/3Issue TrackingThird Party Advisory
- https://github.com/SeppPenner/WindowsHello/security/advisories/GHSA-wvpv-ffcv-r6Third Party Advisory
FAQ
What is CVE-2020-11005?
CVE-2020-11005 is a vulnerability with a CVSS score of 5.1 (MEDIUM). The WindowsHello open source library (NuGet HaemmerElectronics.SeppPenner.WindowsHello), before version 1.0.4, has a vulnerability where encrypted data could potentially be decrypted without needing a...
How severe is CVE-2020-11005?
CVE-2020-11005 has been rated MEDIUM with a CVSS base score of 5.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-11005?
Check the references section above for vendor advisories and patch information. Affected products include: Windowshello Project Windowshello.