web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. Prior to 5.2.4, when allowed_origins is configured, CheckAllowedOrigins reduces URL-like values to their host component and accepts on host match alone. This makes exact origin policies impossible to express: scheme and port differences are silently ignored.
This vulnerability is fixed in 5.2.4.
Attack Parameters
Attack Vector
Network
Атака возможна удалённо
Attack Complexity
Low
Легко эксплуатировать
Privileges Required
None
Права не нужны
User Interaction
Required
Нужно действие пользователя
Impact Assessment
Confidentiality
Low
Частичная утечка данных
Integrity
Low
Частичная модификация данных
Availability
None
Нет нарушения работы
CVSS Vector v3.1
Weakness Type (CWE)
References 3
https://github.com/web-auth/webauthn-framework/commit/535cc3c2dcbd9c3dfd5e00a25…
security-advisories@github.com
https://github.com/web-auth/webauthn-framework/commit/b4cd9a4394c35fcac6080fd2f…
security-advisories@github.com
https://github.com/web-auth/webauthn-framework/security/advisories/GHSA-f7pm-6h…
security-advisories@github.com