CVE-2023-27706

Bitwarden Windows desktop application versions prior to v2023.4.0 store biometric keys in Windows Credential Manager, accessible to other local unprivileged processes.
Configurations

Configuration 1 (hide)

cpe:2.3:a:bitwarden:bitwarden:*:*:*:*:desktop:*:*:*

History

21 Nov 2024, 07:53

Type Values Removed Values Added
References () https://github.com/bitwarden/clients - Product () https://github.com/bitwarden/clients - Product
References () https://github.com/bitwarden/clients/blob/8b5a223ad4ca0f89b6c9bcdbddef464d1755d2c0/apps/desktop/desktop_native/src/biometric/windows.rs#L19 - Product () https://github.com/bitwarden/clients/blob/8b5a223ad4ca0f89b6c9bcdbddef464d1755d2c0/apps/desktop/desktop_native/src/biometric/windows.rs#L19 - Product
References () https://github.com/bitwarden/clients/blob/8b5a223ad4ca0f89b6c9bcdbddef464d1755d2c0/apps/desktop/desktop_native/src/password/windows.rs#L16 - Product () https://github.com/bitwarden/clients/blob/8b5a223ad4ca0f89b6c9bcdbddef464d1755d2c0/apps/desktop/desktop_native/src/password/windows.rs#L16 - Product
References () https://hackerone.com/reports/1874155 - Exploit, Issue Tracking, Third Party Advisory () https://hackerone.com/reports/1874155 - Exploit, Issue Tracking, Third Party Advisory

15 Aug 2023, 17:15

Type Values Removed Values Added
Summary Bitwarden Desktop v1.20.0 and above stores the biometric key in plaintext which allows a local attacker to decrypt the entire local vault. Bitwarden Windows desktop application versions prior to v2023.4.0 store biometric keys in Windows Credential Manager, accessible to other local unprivileged processes.

16 Jun 2023, 18:24

Type Values Removed Values Added
References (MISC) https://hackerone.com/reports/1874155 - (MISC) https://hackerone.com/reports/1874155 - Exploit, Issue Tracking, Third Party Advisory
References (MISC) https://github.com/bitwarden/clients - (MISC) https://github.com/bitwarden/clients - Product
References (MISC) https://github.com/bitwarden/clients/blob/8b5a223ad4ca0f89b6c9bcdbddef464d1755d2c0/apps/desktop/desktop_native/src/biometric/windows.rs#L19 - (MISC) https://github.com/bitwarden/clients/blob/8b5a223ad4ca0f89b6c9bcdbddef464d1755d2c0/apps/desktop/desktop_native/src/biometric/windows.rs#L19 - Product
References (MISC) https://github.com/bitwarden/clients/blob/8b5a223ad4ca0f89b6c9bcdbddef464d1755d2c0/apps/desktop/desktop_native/src/password/windows.rs#L16 - (MISC) https://github.com/bitwarden/clients/blob/8b5a223ad4ca0f89b6c9bcdbddef464d1755d2c0/apps/desktop/desktop_native/src/password/windows.rs#L16 - Product
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.1
CWE CWE-312
CPE cpe:2.3:a:bitwarden:bitwarden:*:*:*:*:desktop:*:*:*

09 Jun 2023, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-06-09 19:15

Updated : 2024-11-21 07:53


NVD link : CVE-2023-27706

Mitre link : CVE-2023-27706

CVE.ORG link : CVE-2023-27706


JSON object : View

Products Affected

bitwarden

  • bitwarden
CWE
CWE-312

Cleartext Storage of Sensitive Information