CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39908
https://notcve.org/view.php?id=CVE-2023-39908
The PKCS11 module of the YubiHSM 2 SDK through 2023.01 does not properly validate the length of specific read operations on object metadata. This may lead to disclosure of uninitialized and previously used memory. • https://blog.inhq.net/posts/yubico-yubihsm-pkcs-vuln https://www.yubico.com/support/security-advisories/ysa-2023-01 • CWE-125: Out-of-bounds Read •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-24584
https://notcve.org/view.php?id=CVE-2022-24584
Incorrect access control in Yubico OTP functionality of the YubiKey hardware tokens along with the Yubico OTP validation server. The Yubico OTP supposedly creates hardware bound second factor credentials. When a user reprograms the OTP functionality by "writing" it on a token using the Yubico Personalization Tool, they can then upload the new configuration to Yubicos OTP validation servers. NOTE: the vendor disputes this because there is no way for a YubiKey device to prevent a user from deciding that a secret value, which is imported into the device, should also be stored elsewhere Un control de acceso incorrecto en la funcionalidad Yubico OTP de los tokens de hardware YubiKey junto con el servidor de validación Yubico OTP. El Yubico OTP supuestamente crea credenciales de segundo factor vinculadas al hardware. • https://demo.yubico.com/otp/verify https://pastebin.com/7iLR1EbW https://pastebin.com/xAh8uV6J https://upload.yubico.com • CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2015-3298
https://notcve.org/view.php?id=CVE-2015-3298
Yubico ykneo-openpgp before 1.0.10 has a typo in which an invalid PIN can be used. When first powered up, a signature will be issued even though the PIN has not been validated. Yubico ykneo-openpgp versiones anteriores a 1.0.10, presenta una errata en la que puede usarse un PIN no válido. Cuando es encendido por primera vez, es emitida una firma aunque el PIN no haya sido comprendido • https://developers.yubico.com/ykneo-openpgp/SecurityAdvisory%202015-04-14.html • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-43399
https://notcve.org/view.php?id=CVE-2021-43399
The Yubico YubiHSM YubiHSM2 library 2021.08, included in the yubihsm-shell project, does not properly validate the length of some operations including SSH signing requests, and some data operations received from a YubiHSM 2 device. La librería YubiHSM YubiHSM2 versión 2021.08, incluida en el proyecto yubihsm-shell, no comprueba correctamente la longitud de algunas operaciones, incluyendo las peticiones de firma SSH, y algunas operaciones de datos recibidas desde un dispositivo YubiHSM 2 • https://blog.inhq.net/posts/yubico-yubihsm-shell-vuln3 https://www.yubico.com/support/security-advisories/ysa-2021-04 • CWE-787: Out-of-bounds Write •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-31924
https://notcve.org/view.php?id=CVE-2021-31924
Yubico pam-u2f before 1.1.1 has a logic issue that, depending on the pam-u2f configuration and the application used, could lead to a local PIN bypass. This issue does not allow user presence (touch) or cryptographic signature verification to be bypassed, so an attacker would still need to physically possess and interact with the YubiKey or another enrolled authenticator. If pam-u2f is configured to require PIN authentication, and the application using pam-u2f allows the user to submit NULL as the PIN, pam-u2f will attempt to perform a FIDO2 authentication without PIN. If this authentication is successful, the PIN requirement is bypassed. Yubico pam-u2f antes de la versión 1.1.1 tiene un problema lógico que, dependiendo de la configuración de pam-u2f y de la aplicación utilizada, podría conducir a una derivación local del PIN. • https://developers.yubico.com/pam-u2f https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CRBVOZEMVO72FV4Z5O4GBGSURXHWRGD3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IL3I5AKECLMK4ADLLACLOEF7H5CMNDP2 https://security.gentoo.org/glsa/202208-11 https://www.yubico.com/support/security-advisories/ysa-2021-03 • CWE-287: Improper Authentication •