CVE-2024-39912: The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames
The ProfileBasedRequestOptionsBuilder method returns allowedCredentials without any credentials if no username was found.
References
- github.com/advisories/GHSA-875x-g8p7-5w27
- github.com/web-auth/webauthn-framework
- github.com/web-auth/webauthn-framework/commit/a9d1352897fba552e659e1445a771dec2d4ed05a
- github.com/web-auth/webauthn-framework/security/advisories/GHSA-875x-g8p7-5w27
- github.com/web-auth/webauthn-lib/commit/b6798de27cdedd8681fe4c9b13ace0ff2456d18b
- nvd.nist.gov/vuln/detail/CVE-2024-39912
Code Behaviors & Features
Detect and mitigate CVE-2024-39912 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →