Lucene search

Veracode Vulnerability DatabaseVERACODE:43862

HistoryOct 18, 2023 - 6:31 a.m.

Improper Authentication

2023-10-1806:31:23

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

webauthn4j

vulnerability

authentication

authenticator

cloned authenticators

exploitation

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

27.4%

JSON

WebAuthn4J is vulnerable to Improper Authentication. The vulnerability is due to the improper persistence of an incremented signature counter value by the authenticator during authentication. This can be exploited by the attacker using cloned authenticators without being detected.

CPENameOperatorVersion
webauthn4j-spring-security-corele0.9.0.RELEASE
webauthn4j-spring-security-corele0.9.0.RELEASE

CPE	Name	Operator	Version
	webauthn4j-spring-security-core	le	0.9.0.RELEASE
	webauthn4j-spring-security-core	le	0.9.0.RELEASE

References

github.com/webauthn4j/webauthn4j-spring-security/commit/129700d74d83f9b9a82bf88ebc63707e3cb0a725

github.com/webauthn4j/webauthn4j-spring-security/security/advisories/GHSA-v9hx-v6vf-g36j

www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-sign-counter

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

27.4%

JSON

Related for VERACODE:43862