Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2023-45669

Опубликовано: 16 окт. 2023
Источник: redhat
CVSS3: 4.3

Описание

WebAuthn4J Spring Security provides Web Authentication specification support for Spring applications. Affected versions are subject to improper signature counter value handling. A flaw was found in webauthn4j-spring-security-core. When an authneticator returns an incremented signature counter value during authentication, webauthn4j-spring-security-core does not properly persist the value, which means cloned authenticator detection does not work. An attacker who cloned valid authenticator in some way can use the cloned authenticator without being detected. This issue has been addressed in version 0.9.1.RELEASE. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Build of Keycloakorg.keycloak-keycloak-parentNot affected
Red Hat JBoss Enterprise Application Platform 6keycloak-adapter-sso7_4-eap6Not affected
Red Hat JBoss Enterprise Application Platform 6keycloak-adapter-sso7_5-eap6Not affected
Red Hat JBoss Enterprise Application Platform 6org.keycloak-keycloak-parentNot affected
Red Hat JBoss Enterprise Application Platform 8org.keycloak-keycloak-parentNot affected
Red Hat Single Sign-On 7com.webauthn4j-webauthn4jNot affected
Red Hat Single Sign-On 7org.keycloak-keycloak-parentNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-287
https://bugzilla.redhat.com/show_bug.cgi?id=2260177webauthn4j: improper signature counter value handling

4.3 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2023-45669

CVSS3: 4.8
nvd
больше 2 лет назад

WebAuthn4J Spring Security provides Web Authentication specification support for Spring applications. Affected versions are subject to improper signature counter value handling. A flaw was found in webauthn4j-spring-security-core. When an authneticator returns an incremented signature counter value during authentication, webauthn4j-spring-security-core does not properly persist the value, which means cloned authenticator detection does not work. An attacker who cloned valid authenticator in some way can use the cloned authenticator without being detected. This issue has been addressed in version `0.9.1.RELEASE`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

github логотип

GHSA-v9hx-v6vf-g36j

CVSS3: 4.8
github
больше 2 лет назад

WebAuthn4J Spring Security Improper signature counter value handling

4.3 Medium

CVSS3