Описание
Improper Access Control in Webauthn Framework
Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2021-38299
- https://github.com/web-auth/webauthn-framework/commit/572e239c5702667ca52487faf861abc768a46308
- https://github.com/web-auth/webauthn-framework/releases
- https://github.com/web-auth/webauthn-framework/releases/tag/v3.3.4
- https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2021-1-fehlende-ueberpruefung-von-user-presence-in-webauthn-framework
Пакеты
Наименование
web-auth/webauthn-framework
composer
Затронутые версииВерсия исправления
>= 3.3.0, < 3.3.4
3.3.4
Связанные уязвимости
CVSS3: 9.8
nvd
больше 4 лет назад
Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence.