Vulnerabilities > Yubico > High

DATE CVE VULNERABILITY TITLE RISK
2023-08-14 CVE-2023-39908 Out-of-bounds Read vulnerability in Yubico Yubihsm 2 SDK
The PKCS11 module of the YubiHSM 2 SDK through 2023.01 does not properly validate the length of specific read operations on object metadata.
network
low complexity
yubico CWE-125
7.5
2022-03-30 CVE-2015-3298 Improper Verification of Cryptographic Signature vulnerability in Yubico Ykneo-Openpgp 1.0.9
Yubico ykneo-openpgp before 1.0.10 has a typo in which an invalid PIN can be used.
low complexity
yubico CWE-347
8.8
2021-12-08 CVE-2021-43399 Out-of-bounds Write vulnerability in Yubico Yubihsm 2 Software Development KIT
The Yubico YubiHSM YubiHSM2 library 2021.08, included in the yubihsm-shell project, does not properly validate the length of some operations including SSH signing requests, and some data operations received from a YubiHSM 2 device.
network
low complexity
yubico CWE-787
7.5
2021-04-14 CVE-2021-28484 Infinite Loop vulnerability in multiple products
An issue was discovered in the /api/connector endpoint handler in Yubico yubihsm-connector before 3.0.1 (in YubiHSM SDK before 2021.04).
network
low complexity
yubico fedoraproject CWE-835
7.5
2020-10-19 CVE-2020-24388 Out-of-bounds Write vulnerability in multiple products
An issue was discovered in the _send_secure_msg() function of yubihsm-shell through 2.0.2.
network
low complexity
yubico fedoraproject CWE-787
7.5
2020-10-19 CVE-2020-24387 Out-of-bounds Write vulnerability in multiple products
An issue was discovered in the yh_create_session() function of yubihsm-shell through 2.0.2.
network
low complexity
yubico fedoraproject CWE-787
7.5
2020-03-05 CVE-2020-10185 Authentication Bypass by Capture-replay vulnerability in Yubico Yubikey ONE Time Password Validation Server
The sync endpoint in YubiKey Validation Server before 2.40 allows remote attackers to replay an OTP.
network
low complexity
yubico CWE-294
8.6
2020-03-05 CVE-2020-10184 SQL Injection vulnerability in Yubico Yubikey ONE Time Password Validation Server
The verify endpoint in YubiKey Validation Server before 2.40 does not check the length of SQL queries, which allows remote attackers to cause a denial of service, aka SQL injection.
network
low complexity
yubico CWE-89
7.5
2019-06-04 CVE-2019-12210 Unspecified vulnerability in Yubico Pam-U2F 1.0.7
In Yubico pam-u2f 1.0.7, when configured with debug and a custom debug log file is set using debug_file, that file descriptor is not closed when a new process is spawned.
network
low complexity
yubico
8.1
2019-06-04 CVE-2019-12209 Link Following vulnerability in Yubico Pam-U2F 1.0.7
Yubico pam-u2f 1.0.7 attempts parsing of the configured authfile (default $HOME/.config/Yubico/u2f_keys) as root (unless openasuser was enabled), and does not properly verify that the path lacks symlinks pointing to other files on the system owned by root.
network
low complexity
yubico CWE-59
7.5