Auto-merge PR#3571

2025-08-04 08:44:25 +00:00 · 2020-04-14 18:30:20 -04:00 · 2020-04-14 18:30:20 -04:00 · 51b73f7862
commit 51b73f7862
parent a6204d9ec8 86a7c61ad4
1 changed files with 76 additions and 6 deletions
--- a/2020/11xxx/CVE-2020-11005.json
+++ b/2020/11xxx/CVE-2020-11005.json
@ -1,18 +1,88 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
    "CVE_data_meta": {
+        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-11005",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
+        "STATE": "PUBLIC",
+        "TITLE": "Internal NCryptDecrypt method could be used externally from WindowsHello library."
    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "WindowsHello",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_value": "< 1.0.4"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "vendor_name": "SeppPenner"
+                }
+            ]
+        }
+    },
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "The WindowsHello open source library (NuGet HaemmerElectronics.SeppPenner.WindowsHello),\nbefore version 1.0.4, has a vulnerability where encrypted data could potentially be decrypted without needing authentication.\nIf the library is used to encrypt text and write the output to a txt file, another executable could be able to decrypt the\ntext using the static method NCryptDecrypt from this same library without the need to use Windows Hello Authentication again.\n\nThis has been patched in version 1.0.4."
            }
        ]
+    },
+    "impact": {
+        "cvss": {
+            "attackComplexity": "HIGH",
+            "attackVector": "LOCAL",
+            "availabilityImpact": "NONE",
+            "baseScore": 5.1,
+            "baseSeverity": "MEDIUM",
+            "confidentialityImpact": "HIGH",
+            "integrityImpact": "NONE",
+            "privilegesRequired": "NONE",
+            "scope": "UNCHANGED",
+            "userInteraction": "NONE",
+            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
+            "version": "3.1"
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-288: Authentication Bypass Using an Alternate Path or Channel"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "name": "https://github.com/SeppPenner/WindowsHello/security/advisories/GHSA-wvpv-ffcv-r6cw",
+                "refsource": "CONFIRM",
+                "url": "https://github.com/SeppPenner/WindowsHello/security/advisories/GHSA-wvpv-ffcv-r6cw"
+            },
+            {
+                "name": "https://github.com/SeppPenner/WindowsHello/issues/3",
+                "refsource": "MISC",
+                "url": "https://github.com/SeppPenner/WindowsHello/issues/3"
+            }
+        ]
+    },
+    "source": {
+        "advisory": "GHSA-wvpv-ffcv-r6cw",
+        "discovery": "UNKNOWN"
    }
 }