// For flags

CVE-2021-28484

 

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

An issue was discovered in the /api/connector endpoint handler in Yubico yubihsm-connector before 3.0.1 (in YubiHSM SDK before 2021.04). The handler did not validate the length of the request, which can lead to a state where yubihsm-connector becomes stuck in a loop waiting for the YubiHSM to send it data, preventing any further operations until the yubihsm-connector is restarted. An attacker can send 0, 1, or 2 bytes to trigger this.

Se detectó un problema en el manejador de endpoint api/connector en Yubico yubihsm-connector versiones anteriores a 3.0.1 (en YubiHSM SDK versiones anteriores a 2021.04). El manejador no comprobó la longitud de la petición, lo que puede conllevar a un estado en el que yubihsm-connector se atasca en un bucle esperando a que YubiHSM le envíe datos, lo que impide cualquier otra operación hasta que yubihsm-connector es reiniciado. Un atacante puede enviar 0, 1 o 2 bytes para activar esto

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-03-16 CVE Reserved
  • 2021-04-14 CVE Published
  • 2023-12-29 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Yubico
Search vendor "Yubico"
 Yubihsm Connector
Search vendor "Yubico" for product "Yubihsm Connector"
 < 3.0.1
Search vendor "Yubico" for product "Yubihsm Connector" and version " < 3.0.1"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 34
Search vendor "Fedoraproject" for product "Fedora" and version "34"
-
Affected