Lucene search
K

6 matches found

Github Security Blog
Github Security Blog
added 2026/05/06 11:31 p.m.7 views

webauthn-rs-core/webauthn-authenticator-rs: Origin validation mismatch possible when subdomains are allowed

Summary webauthn-rs-core Relying Partyrp and webauthn-authenticator-rs client checked that an Origin in CollectedClientDataorigin is valid for an RP IDrpid with str::endswithends-with, without checking for a dot . before the RP ID when allowing subdomainsregisterable-suffix. This check is flawed,...

5.9AI score
Exploits0References2Affected Software2
OSV
OSV
added 2026/05/06 11:31 p.m.3 views

GHSA-22W3-693W-X895 webauthn-rs-core/webauthn-authenticator-rs: Origin validation mismatch possible when subdomains are allowed

Summary webauthn-rs-core Relying Partyrp and webauthn-authenticator-rs client checked that an Origin in CollectedClientDataorigin is valid for an RP IDrpid with str::endswithends-with, without checking for a dot . before the RP ID when allowing subdomainsregisterable-suffix. This check is flawed,...

2.3CVSS5.9AI score
Exploits0References2
OSV
OSV
added 2026/03/10 1:19 a.m.5 views

GHSA-F7PM-6HR8-7GGM Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation

Summary When allowedorigins is configured, CheckAllowedOrigins reduces URL-like values to their host component and accepts on host match alone. This makes exact origin policies impossible to express: scheme and port differences are silently ignored. Details CheckAllowedOrigins stores each...

5.4CVSS5.8AI score0.00197EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2026/01/15 5:22 p.m.4 views

CVE-2026-22694

AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response fo...

6.1CVSS6.4AI score0.0011EPSS
Exploits0References1
NVD
NVD
added 2026/01/14 5:16 p.m.4 views

CVE-2026-22694

AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response fo...

6.1CVSS0.0011EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/01/14 12:0 a.m.4 views

PT-2026-2917

AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response fo...

6.1CVSS6.4AI score0.0011EPSS
Exploits0References6
Rows per page
Query Builder