webauthn-rs-core (Relying Party) and webauthn-authenticator-rs (client) checked that an Origin in CollectedClientData is valid for an RP ID with str::ends_with(), without checking for a dot (.) before the RP ID when allowing subdomains.
This check is flawed, and could allow requests from an attacker-controlled domain such as hermit-crab.example to be accepted for the RP ID crab.example (assuming .example was publicly-registerable TLD) when the RP allows authenticating from a subdomain (disabled by default in webauthn-rs-core and webauthn-rs).
In webauthn-rs-core, this only applies when:
WebauthnCore::allow_subdomains_origin is true (the default is false), andwebauthn-rs can set allow_subdomains_origin via WebauthnBuilder::allow_subdomains. Fixing the bug in webauthn-rs-core also fixes it in webauthn-rs.
In webauthn-authenticator-rs, the flawed check is in WebauthnAuthenticator::do_registration() and...
0.5.50.6.0-dev0.6.1-dev0.5.50.6.0-dev0.6.1-devExploitability
AV:NAC:HAT:PPR:NUI:PVulnerable System
VC:LVI:LVA:NSubsequent System
SC:NSI:NSA:N2.3/CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N