Incorrect Access Control in Webauthn Framework 3.3.x before 3.3.4 Allows Unauthorized Login via FIDO2 Authenticator

Incorrect Access Control in Webauthn Framework 3.3.x before 3.3.4 Allows Unauthorized Login via FIDO2 Authenticator

CVE-2021-38299 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence.

Learn more about our User Device Pen Test.