CVE-2023-45669

2023-10-1619:15:11

CWE-287

GitHub_M

web.nvd.nist.gov

cve-2023-45669

webauthn4j spring security

signature counter

cloned authenticator

vulnerability

nvd

security advisory

upgrade

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

5.1

Confidence

High

EPSS

0.001

Percentile

30.8%

JSON

WebAuthn4J Spring Security provides Web Authentication specification support for Spring applications. Affected versions are subject to improper signature counter value handling. A flaw was found in webauthn4j-spring-security-core. When an authneticator returns an incremented signature counter value during authentication, webauthn4j-spring-security-core does not properly persist the value, which means cloned authenticator detection does not work. An attacker who cloned valid authenticator in some way can use the cloned authenticator without being detected. This issue has been addressed in version 0.9.1.RELEASE. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Nvd

Vulners

Node

webauthn4jspring_securityRange<0.9.1spring

VendorProductVersionCPE
webauthn4jspring_security*cpe:2.3:a:webauthn4j:spring_security:*:*:*:*:*:spring:*:*

Vendor	Product	Version	CPE
webauthn4j	spring_security	*	cpe:2.3:a:webauthn4j:spring_security::::::spring::*

CNA Affected

[
  {
    "vendor": "webauthn4j",
    "product": "webauthn4j-spring-security",
    "versions": [
      {
        "version": "< 0.9.1.RELEASE",
        "status": "affected"
      }
    ]
  }
]