Moderate severityNVD Advisory· Published Apr 14, 2020· Updated Aug 4, 2024

Internal NCryptDecrypt method could be used externally from WindowsHello library.

CVE-2020-11005

Description

The WindowsHello open source library (NuGet HaemmerElectronics.SeppPenner.WindowsHello), before version 1.0.4, has a vulnerability where encrypted data could potentially be decrypted without needing authentication. If the library is used to encrypt text and write the output to a txt file, another executable could be able to decrypt the text using the static method NCryptDecrypt from this same library without the need to use Windows Hello Authentication again. This has been patched in version 1.0.4.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
HaemmerElectronics.SeppPenner.WindowsHelloNuGet	< 1.0.4	1.0.4

Affected products

Sepppenner/Windowshellov5
Range: < 1.0.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-wvpv-ffcv-r6cwghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-11005ghsaADVISORY
github.com/SeppPenner/WindowsHello/issues/3ghsax_refsource_MISCWEB
github.com/SeppPenner/WindowsHello/security/advisories/GHSA-wvpv-ffcv-r6cwghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000