Description
The WindowsHello open source library (NuGet HaemmerElectronics.SeppPenner.WindowsHello), before version 1.0.4, has a vulnerability where encrypted data could potentially be decrypted without needing authentication. If the library is used to encrypt text and write the output to a txt file, another executable could be able to decrypt the text using the static method NCryptDecrypt from this same library without the need to use Windows Hello Authentication again. This has been patched in version 1.0.4.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/SeppPenner/WindowsHello/security/advisories/GHSA-wvpv-ffcv-r6cw
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/SeppPenner/WindowsHello/issues/3
Scores
CVSS v3
5.1
EPSS
0.0002
EPSS Percentile
5.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-327
CWE-288
Status
published
Products (2)
nuget/HaemmerElectronics.SeppPenner.WindowsHello
0 - 1.0.4NuGet
windowshello_project/windowshello
< 1.0.4
Published
Apr 14, 2020
Tracked Since
Feb 18, 2026