Vulnerabilities > Yubico
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-10-19 | CVE-2020-24387 | Out-of-bounds Write vulnerability in multiple products An issue was discovered in the yh_create_session() function of yubihsm-shell through 2.0.2. | 7.5 |
| 2020-07-09 | CVE-2020-15001 | Information Exposure vulnerability in Yubico Yubikey 5 NFC Firmware An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. | 2.9 |
| 2020-07-09 | CVE-2020-15000 | Unspecified vulnerability in Yubico Yubikey 5 NFC Firmware A PIN management problem was discovered on Yubico YubiKey 5 devices 5.2.0 to 5.2.6. network yubico | 4.3 |
| 2020-07-09 | CVE-2020-13132 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Yubico products An issue was discovered in Yubico libykpiv before 2.1.0. | 2.1 |
| 2020-07-09 | CVE-2020-13131 | Out-of-bounds Read vulnerability in Yubico products An issue was discovered in Yubico libykpiv before 2.1.0. | 1.9 |
| 2020-03-05 | CVE-2020-10185 | Authentication Bypass by Capture-replay vulnerability in Yubico Yubikey ONE Time Password Validation Server The sync endpoint in YubiKey Validation Server before 2.40 allows remote attackers to replay an OTP. | 6.8 |
| 2020-03-05 | CVE-2020-10184 | SQL Injection vulnerability in Yubico Yubikey ONE Time Password Validation Server The verify endpoint in YubiKey Validation Server before 2.40 does not check the length of SQL queries, which allows remote attackers to cause a denial of service, aka SQL injection. | 5.0 |
| 2019-11-26 | CVE-2011-4120 | Improper Input Validation vulnerability in multiple products Yubico PAM Module before 2.10 performed user authentication when 'use_first_pass' PAM configuration option was not used and the module was configured as 'sufficient' in the PAM configuration. | 7.5 |
| 2019-06-04 | CVE-2019-12210 | Unspecified vulnerability in Yubico Pam-U2F 1.0.7 In Yubico pam-u2f 1.0.7, when configured with debug and a custom debug log file is set using debug_file, that file descriptor is not closed when a new process is spawned. | 5.5 |
| 2019-06-04 | CVE-2019-12209 | Link Following vulnerability in Yubico Pam-U2F 1.0.7 Yubico pam-u2f 1.0.7 attempts parsing of the configured authfile (default $HOME/.config/Yubico/u2f_keys) as root (unless openasuser was enabled), and does not properly verify that the path lacks symlinks pointing to other files on the system owned by root. | 7.5 |