CVE-2023-45669

描述

Improper signature counter value handling ### Impact A flaw was found in webauthn4j-spring-security-core. When an authneticator returns an incremented signature counter value during authentication, webauthn4j-spring-security-core does not properly persist the value, which means cloned authenticator detection does not work. An attacker who cloned valid authenticator in some way can use the cloned authenticator without being detected. ### Patches Please upgrade to `com.webauthn4j:webauthn4j-spring-security-core:0.9.1.RELEASE` ### References For more details about WebAuthn signature counters, see [WebAuthn specification 6.1.1. Signature Counter Considerations](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-sign-counter). ### Reporter This issue was discovered by Michael Budnick (@mbudnick)

如何修補 CVE-2023-45669

要修補 CVE-2023-45669,請將受影響套件升級到下列已修補版本。

• —升級至 0.9.1.RELEASE 或更新版本

CVE-2023-45669 正在被利用嗎?

低 — EPSS 為 0.4%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 0.9.1.RELEASE

CVSS 分數

參考連結(5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-45669
• PATCHgithub.com/webauthn4j/webauthn4j-spring-security
• WEBgithub.com/webauthn4j/webauthn4j-spring-security/commit/129700d74d83f9b9a82bf88ebc63707e3cb0a725
• WEBgithub.com/webauthn4j/webauthn4j-spring-security/security/advisories/GHSA-v9hx-v6vf-g36j