CVE-2023-45669

Description

Improper signature counter value handling ### Impact A flaw was found in webauthn4j-spring-security-core. When an authneticator returns an incremented signature counter value during authentication, webauthn4j-spring-security-core does not properly persist the value, which means cloned authenticator detection does not work. An attacker who cloned valid authenticator in some way can use the cloned authenticator without being detected. ### Patches Please upgrade to `com.webauthn4j:webauthn4j-spring-security-core:0.9.1.RELEASE` ### References For more details about WebAuthn signature counters, see [WebAuthn specification 6.1.1. Signature Counter Considerations](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-sign-counter). ### Reporter This issue was discovered by Michael Budnick (@mbudnick)

How to fix CVE-2023-45669

To remediate CVE-2023-45669, upgrade the affected package to a fixed version below.

• —upgrade to 0.9.1.RELEASE or later

Is CVE-2023-45669 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 0.9.1.RELEASE

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-45669
• PATCHgithub.com/webauthn4j/webauthn4j-spring-security
• WEBgithub.com/webauthn4j/webauthn4j-spring-security/commit/129700d74d83f9b9a82bf88ebc63707e3cb0a725
• WEBgithub.com/webauthn4j/webauthn4j-spring-security/security/advisories/GHSA-v9hx-v6vf-g36j