CVE-2021-38299
CRITICALwebauthn_framwork 3.3.0-3.3.3 - Improper Authentication via User Presence Bypass
Title source: llmDescription
Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence.
References (2)
Core 2
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/web-auth/webauthn-framework/releases
Third Party Advisory x_refsource_misc
https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2021-1-fehlende-ueberpruefung-von-user-presence-in-webauthn-framework/
Scores
CVSS v3
9.8
EPSS
0.0174
EPSS Percentile
74.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (2)
spomky-labs/webauthn_framwork
< 3.2.9
web-auth/webauthn-framework
3.3.0 - 3.3.4Packagist
Published
Sep 27, 2021
Tracked Since
Feb 18, 2026