Home > Vulnerability Database > CVE-2020-11005

Mend.io Vulnerability Database

CVE-2020-11005

Good to know:

Date: April 14, 2020

The WindowsHello open source library (NuGet HaemmerElectronics.SeppPenner.WindowsHello), before version 1.0.4, has a vulnerability where encrypted data could potentially be decrypted without needing authentication. If the library is used to encrypt text and write the output to a txt file, another executable could be able to decrypt the text using the static method NCryptDecrypt from this same library without the need to use Windows Hello Authentication again. This has been patched in version 1.0.4.

Language: C#

Severity Score

5.1

Related Resources (4)

Url: https://github.com/SeppPenner/WindowsHello/issues/3

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-11005

Url: https://github.com/SeppPenner/WindowsHello/security/advisories/GHSA-wvpv-ffcv-r6cw

Url: https://www.mend.io/vulnerability-database/CVE-2020-11005

Severity Score

5.1

Weakness Type (CWE)

Use of a Broken or Risky Cryptographic Algorithm

CWE-327

Authentication Bypass Using an Alternate Path or Channel

CWE-288

Top Fix

Upgrade Version

Upgrade to version HaemmerElectronics.SeppPenner.WindowsHello - 1.0.4

Learn More

CVSS v3.1

Base Score:	5.1
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	2.1
Access Vector (AV):	LOCAL
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-11005

Good to know:

Date: April 14, 2020

Language: C#

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?