Vulnerabilities > Yubico > Medium

DATE CVE VULNERABILITY TITLE RISK
2024-09-03 CVE-2024-45678 Information Exposure Through Discrepancy vulnerability in Yubico products
Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack (that requires physical access and expensive equipment) in which an electromagnetic side channel is present because of a non-constant-time modular inversion for the Extended Euclidean Algorithm, aka the EUCLEAK issue.
high complexity
yubico CWE-203
4.2
2022-05-11 CVE-2022-24584 Incorrect Authorization vulnerability in Yubico OTP
Incorrect access control in Yubico OTP functionality of the YubiKey hardware tokens along with the Yubico OTP validation server.
network
low complexity
yubico CWE-863
6.5
2022-03-30 CVE-2015-3298 Improper Verification of Cryptographic Signature vulnerability in Yubico Ykneo-Openpgp
Yubico ykneo-openpgp before 1.0.10 has a typo in which an invalid PIN can be used.
low complexity
yubico CWE-347
5.8
2021-05-26 CVE-2021-31924 Improper Authentication vulnerability in multiple products
Yubico pam-u2f before 1.1.1 has a logic issue that, depending on the pam-u2f configuration and the application used, could lead to a local PIN bypass.
low complexity
yubico fedoraproject CWE-287
6.8
2021-01-07 CVE-2021-3011 Always-Incorrect Control Flow Implementation vulnerability in multiple products
An electromagnetic-wave side-channel issue was discovered on NXP SmartMX / P5x security microcontrollers and A7x secure authentication microcontrollers, with CryptoLib through v2.9.
high complexity
yubico nxp ftsafe google CWE-670
4.2
2020-07-09 CVE-2020-15000 Unspecified vulnerability in Yubico Yubikey 5 NFC Firmware
A PIN management problem was discovered on Yubico YubiKey 5 devices 5.2.0 to 5.2.6.
network
yubico
4.3
2020-03-05 CVE-2020-10185 Authentication Bypass by Capture-replay vulnerability in Yubico Yubikey ONE Time Password Validation Server
The sync endpoint in YubiKey Validation Server before 2.40 allows remote attackers to replay an OTP.
network
yubico CWE-294
6.8
2020-03-05 CVE-2020-10184 SQL Injection vulnerability in Yubico Yubikey ONE Time Password Validation Server
The verify endpoint in YubiKey Validation Server before 2.40 does not check the length of SQL queries, which allows remote attackers to cause a denial of service, aka SQL injection.
network
low complexity
yubico CWE-89
5.0
2019-06-04 CVE-2019-12210 Unspecified vulnerability in Yubico Pam-U2F 1.0.7
In Yubico pam-u2f 1.0.7, when configured with debug and a custom debug log file is set using debug_file, that file descriptor is not closed when a new process is spawned.
network
low complexity
yubico
5.5
2019-03-21 CVE-2018-20340 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
Yubico libu2f-host 1.1.6 contains unchecked buffers in devs.c, which could enable a malicious token to exploit a buffer overflow.
local
low complexity
yubico debian CWE-119
4.6