Vulnerabilities > CVE-2023-39908 - Out-of-bounds Read vulnerability in Yubico Yubihsm 2 SDK

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

yubico

CWE-125

NVD

Published: 2023-08-14

Updated: 2023-08-25

Summary

The PKCS11 module of the YubiHSM 2 SDK through 2023.01 does not properly validate the length of specific read operations on object metadata. This may lead to disclosure of uninitialized and previously used memory.

Vulnerable Configurations

Part	Description	Count
Application	Yubico Yubico Yubihsm 2 SDK - Yubico Yubihsm 2 SDK 1.0.0 Yubico Yubihsm 2 SDK 1.0.1 Yubico Yubihsm 2 SDK 1.0.2 Yubico Yubihsm 2 SDK 1.0.3 Yubico Yubihsm 2 SDK 1.0.4 Yubico Yubihsm 2 SDK 2.0.0 Yubico Yubihsm 2 SDK 2019.3 Yubico Yubihsm 2 SDK 2019.12 Yubico Yubihsm 2 SDK 2020.10 Yubico Yubihsm 2 SDK 2021.03 Yubico Yubihsm 2 SDK 2021.04 Yubico Yubihsm 2 SDK 2021.08 Yubico Yubihsm 2 SDK 2021.12	14

Common Weakness Enumeration (CWE)

CWE-125 - Out-of-bounds Read

Common Attack Pattern Enumeration and Classification (CAPEC)

Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

References