CVE-2021-38299
CRITICAL9.8EPSS 0.55%Improper Access Control in Webauthn Framework
發布日:2021/9/29修改日:2024/2/17
描述
Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence.
受影響套件(1)
- Packagist/web-auth/webauthn-framework>= 3.3.0, < 3.3.4
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-38299
- PATCHhttps://github.com/web-auth/webauthn-framework
- WEBhttps://github.com/web-auth/webauthn-framework/commit/572e239c5702667ca52487faf861abc768a46308
- WEBhttps://github.com/web-auth/webauthn-framework/releases
- WEBhttps://github.com/web-auth/webauthn-framework/releases/tag/v3.3.4
- WEBhttps://www.fzi.de/en/news/news/detail-en/artikel/fsa-2021-1-fehlende-ueberpruefung-von-user-presence-in-webauthn-framework