GHSA-wvpv-ffcv-r6cw

Suggest an improvement
Source
https://github.com/advisories/GHSA-wvpv-ffcv-r6cw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-wvpv-ffcv-r6cw/GHSA-wvpv-ffcv-r6cw.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-wvpv-ffcv-r6cw
Aliases
Published
2020-04-14T23:09:13Z
Modified
2023-11-08T04:02:02.930098Z
Severity
  • 5.1 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Internal NCryptDecrypt method could be used externally from WindowsHello library.
Details

Impact

Every user of the library before version 1.0.4.

Patches

Patched in 1.0.4+.

Workarounds

None.

References

https://github.com/SeppPenner/WindowsHello/issues/3

For more information

It this library is used to encrypt text and write the output to a txt file, another executable could be able to decrypt the text using the static method NCryptDecrypt from this same library without the need to use Windows Hello Authentication again.

References

Affected packages

NuGet / HaemmerElectronics.SeppPenner.WindowsHello

Package

Name
HaemmerElectronics.SeppPenner.WindowsHello
View open source insights on deps.dev
Purl
pkg:nuget/HaemmerElectronics.SeppPenner.WindowsHello

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.4

Affected versions

1.*

1.0.0
1.0.0.1
1.0.2
1.0.3