Vulnerabilities > CVE-2021-28484 - Infinite Loop vulnerability in multiple products

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

yubico

fedoraproject

CWE-835

NVD

Published: 2021-04-14

Updated: 2023-11-07

Summary

An issue was discovered in the /api/connector endpoint handler in Yubico yubihsm-connector before 3.0.1 (in YubiHSM SDK before 2021.04). The handler did not validate the length of the request, which can lead to a state where yubihsm-connector becomes stuck in a loop waiting for the YubiHSM to send it data, preventing any further operations until the yubihsm-connector is restarted. An attacker can send 0, 1, or 2 bytes to trigger this.

Vulnerable Configurations

Part	Description	Count
Application	Yubico Yubico Yubihsm Connector - Yubico Yubihsm Connector 2.0.0 Yubico Yubihsm Connector 2.1.0 Yubico Yubihsm Connector 2.2.0 Yubico Yubihsm Connector 3.0.0	5
OS	Fedoraproject Fedoraproject Fedora 34	1

Common Weakness Enumeration (CWE)

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References