CVE-2023-27706

Bitwarden Windows desktop application versions prior to v2023.4.0 store biometric keys in Windows Credential Manager, accessible to other local unprivileged processes.

Weakness

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Affected Software

Name	Vendor	Start Version	End Version
Bitwarden	Bitwarden	*	2023.4.0 (excluding)

Potential Mitigations

https://cwe.mitre.org/data/definitions/37.html

References

https://github.com/bitwarden/clients
https://github.com/bitwarden/clients/blob/8b5a223ad4ca0f89b6c9bcdbddef464d1755d2c0/apps/desktop/desktop_native/src/biometric/windows.rs#L19
https://github.com/bitwarden/clients/blob/8b5a223ad4ca0f89b6c9bcdbddef464d1755d2c0/apps/desktop/desktop_native/src/password/windows.rs#L16
https://hackerone.com/reports/1874155
https://github.com/bitwarden/clients
https://github.com/bitwarden/clients/blob/8b5a223ad4ca0f89b6c9bcdbddef464d1755d2c0/apps/desktop/desktop_native/src/biometric/windows.rs#L19
https://github.com/bitwarden/clients/blob/8b5a223ad4ca0f89b6c9bcdbddef464d1755d2c0/apps/desktop/desktop_native/src/password/windows.rs#L16
https://hackerone.com/reports/1874155

NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-27706
CWE	https://cwe.mitre.org/data/definitions/312.html

Cleartext Storage of Sensitive Information

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References