Vulnerability Description
Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Spomky-Labs | Webauthn Framwork | < 3.2.9 |
Related Weaknesses (CWE)
References
- https://github.com/web-auth/webauthn-framework/releasesRelease NotesThird Party Advisory
- https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2021-1-fehlende-ueberpruefThird Party Advisory
- https://github.com/web-auth/webauthn-framework/releasesRelease NotesThird Party Advisory
- https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2021-1-fehlende-ueberpruefThird Party Advisory
FAQ
What is CVE-2021-38299?
CVE-2021-38299 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without pas...
How severe is CVE-2021-38299?
CVE-2021-38299 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-38299?
Check the references section above for vendor advisories and patch information. Affected products include: Spomky-Labs Webauthn Framwork.