Vulnerabilities > Yubico > High
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-08-14 | CVE-2023-39908 | Out-of-bounds Read vulnerability in Yubico Yubihsm 2 SDK The PKCS11 module of the YubiHSM 2 SDK through 2023.01 does not properly validate the length of specific read operations on object metadata. | 7.5 |
2022-03-30 | CVE-2015-3298 | Improper Verification of Cryptographic Signature vulnerability in Yubico Ykneo-Openpgp 1.0.9 Yubico ykneo-openpgp before 1.0.10 has a typo in which an invalid PIN can be used. | 8.8 |
2021-12-08 | CVE-2021-43399 | Out-of-bounds Write vulnerability in Yubico Yubihsm 2 Software Development KIT The Yubico YubiHSM YubiHSM2 library 2021.08, included in the yubihsm-shell project, does not properly validate the length of some operations including SSH signing requests, and some data operations received from a YubiHSM 2 device. | 7.5 |
2021-04-14 | CVE-2021-28484 | Infinite Loop vulnerability in multiple products An issue was discovered in the /api/connector endpoint handler in Yubico yubihsm-connector before 3.0.1 (in YubiHSM SDK before 2021.04). | 7.5 |
2020-10-19 | CVE-2020-24388 | Out-of-bounds Write vulnerability in multiple products An issue was discovered in the _send_secure_msg() function of yubihsm-shell through 2.0.2. | 7.5 |
2020-10-19 | CVE-2020-24387 | Out-of-bounds Write vulnerability in multiple products An issue was discovered in the yh_create_session() function of yubihsm-shell through 2.0.2. | 7.5 |
2020-03-05 | CVE-2020-10185 | Authentication Bypass by Capture-replay vulnerability in Yubico Yubikey ONE Time Password Validation Server The sync endpoint in YubiKey Validation Server before 2.40 allows remote attackers to replay an OTP. | 8.6 |
2020-03-05 | CVE-2020-10184 | SQL Injection vulnerability in Yubico Yubikey ONE Time Password Validation Server The verify endpoint in YubiKey Validation Server before 2.40 does not check the length of SQL queries, which allows remote attackers to cause a denial of service, aka SQL injection. | 7.5 |
2019-06-04 | CVE-2019-12210 | Unspecified vulnerability in Yubico Pam-U2F 1.0.7 In Yubico pam-u2f 1.0.7, when configured with debug and a custom debug log file is set using debug_file, that file descriptor is not closed when a new process is spawned. | 8.1 |
2019-06-04 | CVE-2019-12209 | Link Following vulnerability in Yubico Pam-U2F 1.0.7 Yubico pam-u2f 1.0.7 attempts parsing of the configured authfile (default $HOME/.config/Yubico/u2f_keys) as root (unless openasuser was enabled), and does not properly verify that the path lacks symlinks pointing to other files on the system owned by root. | 7.5 |