// For flags

CVE-2020-15001

 

Severity Score

5.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when updating NFC specific components of the OTP configurations. This may allow an attacker to access configured OTPs and passwords stored in slots that were not configured by the user to be read over NFC, despite a user having set an access code. (Users who have not set an access code, or who have not configured the OTP slots, are not impacted by this issue.)

Se detectó una fuga de información en los dispositivos Yubico YubiKey 5 NFC versiones 5.0.0 hasta 5.2.6 y 5.3.0 hasta 5.3.1. La aplicación OTP permite al usuario establecer códigos de acceso opcionales en los slots OTP. Este código de acceso está destinado a impedir cambios no autorizados en las configuraciones de OTP. El código de acceso no es comprobado al actualizar componentes específicos de NFC de las configuraciones de OTP. Esto puede permitir a un atacante acceder a las OTP configuradas y contraseñas almacenadas en slots que el usuario no configuró para que se lean a través de NFC, a pesar de que un usuario haya establecido un código de acceso. (Los usuarios que no han establecido un código de acceso, o que no han configurado las slots OTP, no están afectados por este problema)

*Credits: N/A
CVSS Scores
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Adjacent
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-06-23 CVE Reserved
  • 2020-07-09 CVE Published
  • 2023-11-12 EPSS Updated
  • 2024-08-04 CVE Updated
  • 2024-08-04 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-862: Missing Authorization
CAPEC
References (1)
URL Tag Source
URL Date SRC
https://www.yubico.com/support/security-advisories/ysa-2020-04 2024-08-04
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Yubico
Search vendor "Yubico"
 Yubikey 5 Nfc Firmware
Search vendor "Yubico" for product "Yubikey 5 Nfc Firmware"
 >= 5.0.0 <= 5.2.6
Search vendor "Yubico" for product "Yubikey 5 Nfc Firmware" and version " >= 5.0.0 <= 5.2.6"
-
Affected
in Yubico
Search vendor "Yubico"
 Yubikey 5 Nfc
Search vendor "Yubico" for product "Yubikey 5 Nfc"
--
Safe
Yubico
Search vendor "Yubico"
 Yubikey 5 Nfc Firmware
Search vendor "Yubico" for product "Yubikey 5 Nfc Firmware"
 >= 5.3.0 <= 5.3.1
Search vendor "Yubico" for product "Yubikey 5 Nfc Firmware" and version " >= 5.3.0 <= 5.3.1"
-
Affected
in Yubico
Search vendor "Yubico"
 Yubikey 5 Nfc
Search vendor "Yubico" for product "Yubikey 5 Nfc"
--
Safe