Bug 2446118 (CVE-2026-30964)
| Summary: | CVE-2026-30964 web-auth/webauthn-lib: web-auth/webauthn-lib: Origin validation bypass due to host component reduction | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in web-auth/webauthn-lib. The CheckAllowedOrigins function, when configured with allowed_origins, incorrectly processes URL-like values by reducing them to their host component. This behavior ignores scheme and port differences, preventing the enforcement of precise origin policies. This could allow an attacker to bypass security restrictions, potentially leading to unauthorized information access or data manipulation.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2446241, 2446243, 2446240, 2446242 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-03-10 18:04:06 UTC
|