CVE-2023-45669: 
Java vulnerability analysis and mitigation

WebAuthn4J Spring Security, a framework providing Web Authentication specification support for Spring applications, was found to have a vulnerability in versions prior to 0.9.1.RELEASE. The vulnerability (CVE-2023-45669) was discovered by Michael Budnick and disclosed on October 16, 2023. The issue affects the webauthn4j-spring-security-core package, which is responsible for handling WebAuthn authentication in Spring applications (NVD, GitHub Advisory).

The vulnerability stems from improper signature counter value handling in the authentication process. When an authenticator returns an incremented signature counter value during authentication, webauthn4j-spring-security-core fails to properly persist the value. This affects the cloned authenticator detection mechanism. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

The vulnerability compromises the security mechanism designed to detect cloned authenticators. If an attacker manages to clone a valid authenticator, they can use the cloned authenticator without being detected by the system, potentially leading to unauthorized access to user accounts (GitHub Advisory).

The vulnerability has been patched in version 0.9.1.RELEASE of webauthn4j-spring-security-core. Users are strongly advised to upgrade to this version or later. There are no known workarounds for this vulnerability other than upgrading to the patched version (GitHub Advisory).