CVE-2023-45669 MEDIUM

CVE-2023-45669: Improper signature counter value handling in webauthn4j-spring-security

Vendor Webauthn4J
Product webauthn4j-spring-security
Weakness CWE-287 · Improper authentication
Published October 16, 2023
Last update September 13, 2024

CVSS base score

4.8/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

WebAuthn4J Spring Security provides Web Authentication specification support for Spring applications. Affected versions are subject to improper signature counter value handling. A flaw was found in webauthn4j-spring-security-core. When an authneticator returns an incremented signature counter value during authentication, webauthn4j-spring-security-core does not properly persist the value, which means cloned authenticator detection does not work. An attacker who cloned valid authenticator in some way can use the cloned authenticator without being detected. This issue has been addressed in version `0.9.1.RELEASE`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

October 16, 2023 CVE published
September 13, 2024 Record updated

Related vulnerabilities

04Related CVE