2260177 – (CVE-2023-45669) CVE-2023-45669 webauthn4j: improper signature counter value handling

Bug 2260177 (CVE-2023-45669) - CVE-2023-45669 webauthn4j: improper signature counter value handling

Summary: CVE-2023-45669 webauthn4j: improper signature counter value handling

Keywords:
Status:	NEW
Alias:	CVE-2023-45669
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2244547
TreeView+	depends on / blocked

Reported:	2024-01-24 20:09 UTC by Anten Skrabec
Modified:	2026-04-01 08:27 UTC (History)
CC List:	29 users (show)
Fixed In Version:	webauthn4j 0.9.1.RELEASE
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Anten Skrabec 2024-01-24 20:09:07 UTC

WebAuthn4J Spring Security provides Web Authentication specification support for Spring applications. Affected versions are subject to improper signature counter value handling. A flaw was found in webauthn4j-spring-security-core. When an authenticator returns an incremented signature counter value during authentication, webauthn4j-spring-security-core does not properly persist the value, which means cloned authenticator detection does not work. An attacker who cloned valid authenticator in some way can use the cloned authenticator without being detected.

Note You need to log in before you can comment on or make changes to this bug.

asoldano
bbaranow
bmaxwell
boliveir
brian.stansberry
chazlett
darran.lofthouse
dkreling
dosoudil
drichtar
ivassile
iweiss
lgao
mosmerov
msochure
mstefank
msvehla
mulliken
nwallace
pdrozd
peholase
pjindal
pmackay
pskopek
rowaters
rstancel
smaestri
sthorger
tom.jenkinson