CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
9.3%
The ProfileBasedRequestOptionsBuilder method returns allowedCredentials without any credentials if no username was found.
When WebAuthn is used as the first or only authentication method, an attacker can enumerate usernames based on the absence of the allowedCredentials
property in the assertion options response. This allows enumeration of valid or invalid usernames.
return $this->publicKeyCredentialRequestOptionsFactory->create(
$this->profile,
count($allowedCredentials) <= 0 ? self::getRandomCredentials(): $allowedCredentials,
$optionsRequest->userVerification,
$extensions
);
private static function getRandomCredentials(): array
{
$credentialSources = [];
for ($i = 0; $i <= rand(0,1); $i++) {
$credentialSources[] = new PublicKeyCredentialSource(
random_bytes(32),
"public-key",
[],
"basic",
new EmptyTrustPath(),
Uuid::v7(),
random_bytes(77),
Uuid::v7()->__toString(),
rand(0, 6000),
null
);
}
return array_map(
static fn (PublicKeyCredentialSource $credential): PublicKeyCredentialDescriptor => $credential->getPublicKeyCredentialDescriptor(),
$credentialSources
);
}
curl https://example.com/assertion/options
-H ‘content-type: application/json’
–data-raw ‘{“username”:“NotMeRandomUsername123”}’
By knowing which usernames are valid, attackers can focus their efforts on a smaller set of potential targets, increasing the efficiency and likelihood of successful attacks.
Vendor | Product | Version | CPE |
---|---|---|---|
web-auth | webauthn-framework | * | cpe:2.3:a:web-auth:webauthn-framework:*:*:*:*:*:*:*:* |
web-auth | webauthn-lib | * | cpe:2.3:a:web-auth:webauthn-lib:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-875x-g8p7-5w27
github.com/web-auth/webauthn-framework/commit/64de11f6cddc71e56c76e0cc4573bf94d02be045
github.com/web-auth/webauthn-framework/commit/a9d1352897fba552e659e1445a771dec2d4ed05a
github.com/web-auth/webauthn-framework/security/advisories/GHSA-875x-g8p7-5w27
github.com/web-auth/webauthn-lib/commit/b6798de27cdedd8681fe4c9b13ace0ff2456d18b
nvd.nist.gov/vuln/detail/CVE-2024-39912