CGA-89fv-7hj8-7gcp

This vulnerability affects eddsa 0.3.0, which is embedded within the yubico-webauthn_2.4.0.wso2v1.jar bundle. The vulnerable eddsa dependency is included in WSO2's FIDO2 authenticator feature (identity.local.auth.fido.version). Tested FIDO authenticator versions 5.4.18 through 5.4.21 all contain the same vulnerable yubico-webauthn 2.4.0 bundle. Version 5.4.21 has dependency conflicts that prevent installation in WSO2 IS 7.1.0. Yubico released webauthn-server-core 2.6.0+ (Jan 2024) and 2.7.0+ (May 2024) which contain updated eddsa versions, but WSO2 has not yet updated their FIDO2 server feature to include these newer releases. Pending fix from upstream WSO2 to update their FIDO2 authenticator feature with newer yubico-webauthn bundle.