CVSS: 2.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-29991
https://notcve.org/view.php?id=CVE-2025-29991
03 Apr 2025 — Yubico YubiKey 5.4.1 through 5.7.3 before 5.7.4 has an incorrect FIDO CTAP PIN/UV Auth Protocol Two implementation. It uses the signature length from CTAP PIN/UV Auth Protocol One, even when CTAP PIN/UV Auth Protocol Two was chosen, resulting in a partial signature verification. • https://www.yubico.com/support/security-advisories/ysa-2025-02 • CWE-1390: Weak Authentication •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23013 – Gentoo Linux Security Advisory 202501-04
https://notcve.org/view.php?id=CVE-2025-23013
15 Jan 2025 — In Yubico pam-u2f before 1.3.1, local privilege escalation can sometimes occur. This product implements a Pluggable Authentication Module (PAM) that can be deployed to support authentication using a YubiKey or other FIDO compliant authenticators on macOS or Linux. This software package has an issue that allows for an authentication bypass in some configurations. An attacker would require the ability to access the system as an unprivileged user. Depending on the configuration, the attacker may also need to k... • https://www.yubico.com/support/security-advisories/ysa-2025-01 • CWE-394: Unexpected Status Code or Return Value •
CVSS: 4.2EPSS: 0%CPEs: 18EXPL: 0CVE-2024-45678
https://notcve.org/view.php?id=CVE-2024-45678
03 Sep 2024 — Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack (that requires physical access and expensive equipment) in which an electromagnetic side channel is present because of a non-constant-time modular inversion for the Extended Euclidean Algorithm, aka the EUCLEAK issue. Other uses of an Infineon cryptographic library may also be affected. • https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel • CWE-203: Observable Discrepancy •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31498
https://notcve.org/view.php?id=CVE-2024-31498
04 Apr 2024 — Yubico ykman-gui (aka YubiKey Manager GUI) before 1.2.6 on Windows, when Edge is not used, allows privilege escalation because browser windows can open as Administrator. ykman-gui (también conocido como GUI de YubiKey Manager) anterior a 1.2.6 en Windows, cuando no se usa Edge, permite la escalada de privilegios porque las ventanas del navegador se pueden abrir como Administrador. • https://www.yubico.com/support/security-advisories/ysa-2024-01 • CWE-269: Improper Privilege Management •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39908
https://notcve.org/view.php?id=CVE-2023-39908
14 Aug 2023 — The PKCS11 module of the YubiHSM 2 SDK through 2023.01 does not properly validate the length of specific read operations on object metadata. This may lead to disclosure of uninitialized and previously used memory. • https://blog.inhq.net/posts/yubico-yubihsm-pkcs-vuln • CWE-125: Out-of-bounds Read •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-24584
https://notcve.org/view.php?id=CVE-2022-24584
11 May 2022 — Incorrect access control in Yubico OTP functionality of the YubiKey hardware tokens along with the Yubico OTP validation server. The Yubico OTP supposedly creates hardware bound second factor credentials. When a user reprograms the OTP functionality by "writing" it on a token using the Yubico Personalization Tool, they can then upload the new configuration to Yubicos OTP validation servers. NOTE: the vendor disputes this because there is no way for a YubiKey device to prevent a user from deciding that a sec... • https://demo.yubico.com/otp/verify • CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2015-3298
https://notcve.org/view.php?id=CVE-2015-3298
29 Mar 2022 — Yubico ykneo-openpgp before 1.0.10 has a typo in which an invalid PIN can be used. When first powered up, a signature will be issued even though the PIN has not been validated. Yubico ykneo-openpgp versiones anteriores a 1.0.10, presenta una errata en la que puede usarse un PIN no válido. Cuando es encendido por primera vez, es emitida una firma aunque el PIN no haya sido comprendido • https://developers.yubico.com/ykneo-openpgp/SecurityAdvisory%202015-04-14.html • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-43399
https://notcve.org/view.php?id=CVE-2021-43399
08 Dec 2021 — The Yubico YubiHSM YubiHSM2 library 2021.08, included in the yubihsm-shell project, does not properly validate the length of some operations including SSH signing requests, and some data operations received from a YubiHSM 2 device. La librería YubiHSM YubiHSM2 versión 2021.08, incluida en el proyecto yubihsm-shell, no comprueba correctamente la longitud de algunas operaciones, incluyendo las peticiones de firma SSH, y algunas operaciones de datos recibidas desde un dispositivo YubiHSM 2 • https://blog.inhq.net/posts/yubico-yubihsm-shell-vuln3 • CWE-787: Out-of-bounds Write •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-31924 – Gentoo Linux Security Advisory 202208-11
https://notcve.org/view.php?id=CVE-2021-31924
25 May 2021 — Yubico pam-u2f before 1.1.1 has a logic issue that, depending on the pam-u2f configuration and the application used, could lead to a local PIN bypass. This issue does not allow user presence (touch) or cryptographic signature verification to be bypassed, so an attacker would still need to physically possess and interact with the YubiKey or another enrolled authenticator. If pam-u2f is configured to require PIN authentication, and the application using pam-u2f allows the user to submit NULL as the PIN, pam-u... • https://developers.yubico.com/pam-u2f • CWE-287: Improper Authentication •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-32489
https://notcve.org/view.php?id=CVE-2021-32489
10 May 2021 — An issue was discovered in the _send_secure_msg() function of Yubico yubihsm-shell through 2.0.3. The function does not correctly validate the embedded length field of an authenticated message received from the device because response_msg.st.len=8 can be accepted but triggers an integer overflow, which causes CRYPTO_cbc128_decrypt (in OpenSSL) to encounter an undersized buffer and experience a segmentation fault. The yubihsm-shell project is included in the YubiHSM 2 SDK product. Se detectó un problema en l... • https://blog.inhq.net/posts/yubico-libyubihsm-vuln2/#second-attack-variant-cve-pending • CWE-190: Integer Overflow or Wraparound •