Webauthn Server Core
Monthly
Authentication bypass in Yubico java-webauthn-server (webauthn-server-core) 2.8.0 through 2.8.1 allows an attacker holding any valid registered credential to impersonate other users during the second-factor flow. The flaw stems from an unchecked return value in finishAssertion that accepts a successful authentication result even when the authenticated credential belongs to a different user than the one named in StartAssertionOptions.username. No public exploit identified at time of analysis, and EPSS is very low (0.01%), but CISA SSVC rates the technical impact as total.
Authentication bypass in Yubico java-webauthn-server (webauthn-server-core) 2.8.0 through 2.8.1 allows an attacker holding any valid registered credential to impersonate other users during the second-factor flow. The flaw stems from an unchecked return value in finishAssertion that accepts a successful authentication result even when the authenticated credential belongs to a different user than the one named in StartAssertionOptions.username. No public exploit identified at time of analysis, and EPSS is very low (0.01%), but CISA SSVC rates the technical impact as total.