PT-2021-22020 · Unknown · Webauthn Framework

Published

2021-09-27

Updated

2022-07-12

CVE-2021-38299

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Webauthn Framework versions 3.3.x through 3.3.3

Description: The issue is related to Incorrect Access Control. An attacker controlling a user's system can login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence.

Recommendations: For versions 3.3.x through 3.3.3, update to version 3.3.4 or later to resolve the issue. As a temporary workaround, consider restricting access to FIDO2 authenticators until the update is applied.

Fix

Improper Authentication

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-863

Related Identifiers

CVE-2021-38299

GHSA-6WHF-Q6P5-84WG

Affected Products

Webauthn Framework

PT-2021-22020 · Unknown · Webauthn Framework

CVE-2021-38299

Weakness Enumeration

Related Identifiers

Affected Products

References · 11