5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-39912

GHSA ID

GHSA-875x-g8p7-5w27

EPSS Score

0.3654%

CWE

CWE-204

Published

7/15/2024

Updated

8/4/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-39912

CVE-2024-39912: The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames

Summary

The ProfileBasedRequestOptionsBuilder method returns allowedCredentials without any credentials if no username was found.

Details

When WebAuthn is used as the first or only authentication method, an attacker can enumerate usernames based on the absence of the allowedCredentials property in the assertion options response. This allows enumeration of valid or invalid usernames.

Proposal how to resolve it:

return $this->publicKeyCredentialRequestOptionsFactory->create(
            $this->profile,
            count($allowedCredentials) <= 0 ? self::getRandomCredentials(): $allowedCredentials,
            $optionsRequest->userVerification,
            $extensions
);

private static function getRandomCredentials(): array
{
        $credentialSources = [];
        for ($i = 0; $i <= rand(0,1); $i++) {
            $credentialSources[] = new PublicKeyCredentialSource(
                random_bytes(32),
                "public-key",
                [],
                "basic",
                new EmptyTrustPath(),
                Uuid::v7(),
                random_bytes(77),
                Uuid::v7()->__toString(),
                rand(0, 6000),
                null
            );
        }
        return array_map(
            static fn (PublicKeyCredentialSource $credential): PublicKeyCredentialDescriptor => $credential->getPublicKeyCredentialDescriptor(),
            $credentialSources
        );
}

PoC

curl https://example.com/assertion/options
-H 'content-type: application/json'
--data-raw '{"username":"NotMeRandomUsername123"}'

Impact

By knowing which usernames are valid, attackers can focus their efforts on a smaller set of potential targets, increasing the efficiency and likelihood of successful attacks.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-39912

CVE-2024-39912:

5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-39912

GHSA ID

GHSA-875x-g8p7-5w27

EPSS Score

0.3654%

CWE

CWE-204

Published

7/15/2024

Updated

8/4/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
web-auth/webauthn-lib	composer	>= 4.5.0, < 4.9.0	4.9.0
web-auth/webauthn-framework	composer	>= 4.5.0, < 4.9.0	4.9.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from ProfileBasedCreationOptionsBuilder's getFromRequest method returning empty excluded credentials when a username isn't found. This creates an observable difference in assertion options responses (presence/absence of allowedCredentials) that enables username enumeration. The commit diff shows the vulnerability was addressed by adding a 'hideExistingExcludedCredentials' parameter and conditional logic to return random credentials instead of empty ones. The pre-patch version in 4.5.0-4.8.x lacked this protection, making the original implementation of getFromRequest the vulnerable entry point that exposed credential existence through response discrepancies.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-39912: The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames

Summary

Details

Proposal how to resolve it:

PoC

Impact

CVE-2024-39912:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

CVE-2024-39912: The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames

Summary

Details

Proposal how to resolve it:

PoC

Impact

5.3

5.3

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI