Published: 09/06/2023 Updated: 08/11/2023

CVSS v3 Base Score: 7.1 | Impact Score: 5.2 | Exploitability Score: 1.8

VMScore: 0

Bitwarden Windows desktop application versions prior to v2023.4.0 store biometric keys in Windows Credential Manager, accessible to other local unprivileged processes.

Vulnerable Product	Search on Vulmon	Subscribe to Product
bitwarden bitwarden

Tools to Exploit Bitwarden v2023.3.0 with Windows Hello

Tools to Exploit Bitwarden v202330 with Windows Hello This repository contains the tools to exploit Bitwarden v202330 when the Windows Hello feature is enabled as described in our blog post Dump Keys from DPAPI The tool dpapidump dumps credentials from DPAPI, including the biometric key of Bitwarden v202330 (CVE-2023-27706) It can be used as follows: cd dpapidump GOOS=w

CWE-312 https://github.com/bitwarden/clients https://github.com/bitwarden/clients/blob/8b5a223ad4ca0f89b6c9bcdbddef464d1755d2c0/apps/desktop/desktop_native/src/password/windows.rs#L16 https://hackerone.com/reports/1874155 https://github.com/bitwarden/clients/blob/8b5a223ad4ca0f89b6c9bcdbddef464d1755d2c0/apps/desktop/desktop_native/src/biometric/windows.rs#L19 https://nvd.nist.gov https://github.com/RedTeamPentesting/bitwarden-windows-hello

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2023-27706

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect