Vulnerability Details CVE-2021-38299
Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 56.7%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- https://github.com/web-auth/webauthn-framework/releases
- https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2021-1-fehlende-ueberpruefung-von-user-presence-in-webauthn-framework/
- https://github.com/web-auth/webauthn-framework/releases
- https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2021-1-fehlende-ueberpruefung-von-user-presence-in-webauthn-framework/
Products affected by CVE-2021-38299
-
cpe:2.3:a:spomky-labs:webauthn_framwork:*
-
cpe:2.3:a:spomky-labs:webauthn_framwork:3.3.0
-
cpe:2.3:a:spomky-labs:webauthn_framwork:3.3.1
-
cpe:2.3:a:spomky-labs:webauthn_framwork:3.3.2
-
cpe:2.3:a:spomky-labs:webauthn_framwork:3.3.3