logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-39912 web-auth/webauthn-framework

Package

Manager: composer
Name: web-auth/webauthn-framework
Vulnerable Version: >=4.5.0 <4.9.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00168 pctl0.38359

Details

The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames ### Summary The ProfileBasedRequestOptionsBuilder method returns allowedCredentials without any credentials if no username was found. ### Details When WebAuthn is used as the first or only authentication method, an attacker can enumerate usernames based on the absence of the `allowedCredentials` property in the assertion options response. This allows enumeration of valid or invalid usernames. #### Proposal how to resolve it: ``` return $this->publicKeyCredentialRequestOptionsFactory->create( $this->profile, count($allowedCredentials) <= 0 ? self::getRandomCredentials(): $allowedCredentials, $optionsRequest->userVerification, $extensions ); private static function getRandomCredentials(): array { $credentialSources = []; for ($i = 0; $i <= rand(0,1); $i++) { $credentialSources[] = new PublicKeyCredentialSource( random_bytes(32), "public-key", [], "basic", new EmptyTrustPath(), Uuid::v7(), random_bytes(77), Uuid::v7()->__toString(), rand(0, 6000), null ); } return array_map( static fn (PublicKeyCredentialSource $credential): PublicKeyCredentialDescriptor => $credential->getPublicKeyCredentialDescriptor(), $credentialSources ); } ``` ### PoC curl https://example.com/assertion/options \ -H 'content-type: application/json' \ --data-raw '{"username":"NotMeRandomUsername123"}' ### Impact By knowing which usernames are valid, attackers can focus their efforts on a smaller set of potential targets, increasing the efficiency and likelihood of successful attacks.

Metadata

Created: 2024-07-15T16:37:49Z
Modified: 2024-07-15T21:38:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-875x-g8p7-5w27/GHSA-875x-g8p7-5w27.json
CWE IDs: ["CWE-204"]
Alternative ID: GHSA-875x-g8p7-5w27
Finding: F047
Auto approve: 1