CVE-2023-45669

2023-10-1619:15:11

CWE-287

[email protected]

web.nvd.nist.gov

cve-2023-45669

webauthn4j spring security

signature counter

cloned authenticator

vulnerability

nvd

security advisory

upgrade

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

5.1 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

27.2%

JSON

WebAuthn4J Spring Security provides Web Authentication specification support for Spring applications. Affected versions are subject to improper signature counter value handling. A flaw was found in webauthn4j-spring-security-core. When an authneticator returns an incremented signature counter value during authentication, webauthn4j-spring-security-core does not properly persist the value, which means cloned authenticator detection does not work. An attacker who cloned valid authenticator in some way can use the cloned authenticator without being detected. This issue has been addressed in version 0.9.1.RELEASE. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Vulners

NVD

Node

webauthn4jspring_securityRange<0.9.1.RELEASE

VendorProductVersionCPE
webauthn4jspring_security*cpe:2.3:a:webauthn4j:spring_security:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
webauthn4j	spring_security	*	cpe:2.3:a:webauthn4j:spring_security::::::::

CNA Affected

[
  {
    "vendor": "webauthn4j",
    "product": "webauthn4j-spring-security",
    "versions": [
      {
        "version": "< 0.9.1.RELEASE",
        "status": "affected"
      }
    ]
  }
]