23 matches found
YSA-2026-02 | Yubico
A security update is available for the Yubico open-source software project webauthn-server-core to resolve a user impersonation vulnerability. No Yubico hardware is affected. In specific implementations, an attacker that has an existing account with a relying party RP can authenticate as a target...
YSA-2026-01 | Yubico
Security updates which resolve a DLL search path vulnerability on Windows are available for three Yubico open source software projects: libfido2, YubiKey Manager, and python-fido2. If an attacker is able to place a malicious file in the directory where the affected software or Python is installed...
YSA-2025-02 | Yubico
A low severity issue has been identified in YubiKeys versions 5.4.1 through 5.7.3 in the FIDO CTAP PIN/UV Auth Protocol Two implementation. These YubiKey versions use the 16 byte signature length from CTAP PIN/UV Auth Protocol One during the verification step, even when the 32 byte CTAP PIN/UV Au...
YSA 2025 01 | Yubico
Yubico’s open source pam-u2f software package implements a Pluggable Authentication Module PAM that can be deployed to support authentication using a YubiKey or other FIDO compliant authenticators on macOS or Linux. This software package has an issue which allows for an authentication bypass in...
Security Advisory YSA-2024-03 | Yubico
A vulnerability was discovered in Infineon’s cryptographic library, which is utilized in YubiKey 5 Series, and Security Key Series with firmware prior to 5.7.0 and YubiHSM 2 with firmware prior to 2.4.0. The severity of the issue in Yubico devices is moderate. An attacker could exploit this issue...
Security Advisory YSA-2024-02 | Yubico
To address a low severity privacy issue, Yubico has released updated firmware for YubiKey 5 Series, Security Key Series, and YubiKey Bio Series. The YubiKey CSPN Series and YubiKey 5 FIPS series are also affected. The YubiKey 5 FIPS series will receive this privacy update in the next release of...
Security Advisory YSA-2024-01 | Yubico
A security issue has been identified in YubiKey Manager GUI which could lead to unexpected privilege escalation on Windows. If a user runs the YubiKey Manager GUI as Administrator, browser windows opened by YubiKey Manager GUI may be opened as Administrator which could be exploited by a local...
Security Advisory YSA-2023-01 | Yubico
The PKCS11 module of the YubiHSM 2 SDK does not properly validate the length of specific read operations on object metadata which may lead to disclosure of uninitialized and previously used memory...
Security Advisory YSA-2021-04 | Yubico
The YubiHSM library that is included in the yubihsm-shell project, does not properly validate the length of some operations including SSH signing requests and some data operations received from the YubiHSM 2...
Security Advisory YSA-2021-03 | Yubico
A security update for pam-u2f resolves a logic issue that, depending on the pam-u2f configuration and the application used, could lead to a local PIN bypass. This issue does not allow user presence touch or cryptographic signature verification to be bypassed, so an attacker would still need to...
Security Advisory YSA-2021-02 | Yubico
The yubihsm-connector utility provides a HTTP interface for interacting with a YubiHSM 2. This interface is used by many other components in the YubiHSM 2 SDK ecosystem, including the yubihsm-shell, the PKCS11 library yubihsmpkcs11, and the YubiHSM Key Storage Provider KSP for Windows®...
Security Advisory YSA-2021-01 | Yubico
The yubihsm library, included in the yubihsm-shell project, does not properly validate the length of authenticated messages during device communication. A maliciously-crafted YubiHSM 2 device, or someone with access to traffic between the HSM and yubihsm library, could cause the yubihsm library t...
Security Advisory YSA-2020-06 | Yubico
The yubihsm library, included in the yubihsm-shell project, does not properly validate two message fields during device communication. A maliciously-crafted YubiHSM2 device, or someone with access to the HTTP traffic between a client and server handling the device, could cause the yubihsm library...
Security Advisory YSA-2020-04 | Yubico
The OTP application on the YubiKey 5 NFC allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. It was discovered that the access code is not checked when updating NFC-specific components of the OTP...
Security advisory YSA-2020-02, YSA-2020-03 | Yubico | YubiKey
The libykpiv library, included in the Yubico PIV Tool project and the YubiKey Smart Card Minidriver, does not properly check embedded length fields during device communication. A maliciously-crafted PIV token could possibly misreport the returned length fields during RSA key generation. This coul...
Security advisory YSA-2020-01 | Yubico
Yubico received a report from LinkedIn Information Security indicating there is insufficient data validation in the open-source project for YubiKey Validation Server git: yubikey-val. Yubico verified the issue and has made a security update available to mitigate this issue and enhance the...
Security advisory YSA-2019-02 | Yubico
Who should read this advisory? Customers, IT Managers, or FIPS Crypto Officers who use or manage YubiKey FIPS Series devices. An issue exists in YubiKey FIPS Series devices, versions 4.4.2 and 4.4.4 please note, there is no released firmware version 4.4.3. , where the first set of random values...
Security advisory YSA-2019-01 | Yubico
Yubico library libu2f-host prior to version 1.1.7 contains an unchecked buffer, which could allow a buffer overflow. Libu2f-host is a library that implements the host party of the U2F protocol. This issue can allow an attacker with a custom made malicious USB device masquerading as a security key...
Security advisory YSA-2018-03 | Yubico
Eric Sesterhenn of X41 D-Sec notified Yubico of a security issue in libykpiv, a supporting library of the Yubico PIV Tool, YubiKey PIV Manager, and Yubikey Smart Card Minidriver. This issue can allow an attacker with a custom made malicious USB device masquerading as a YubiKey, and physical acces...
Security advisory YSA-2018-02 | Yubico
In Chrome 61, released in September, 2017, Google included a feature called WebUSB. WebUSB allows websites to request direct access to USB devices through JavaScript. A web page could potentially access and interact with a USB device interface unless the operating system reserved exclusive access...
Security advisory YSA-2018-01 | Yubico
Oscar Mira and Roi Martin from the Schibsted security team informed us of a security issue in the OATH Initiative for Open Authentication applet on the YubiKey NEO. The YubiKey OATH applet is used to generate time-based one-time password TOTP and HMAC-based one-time password HOTP codes that are...
Security advisory YSA-2017-01 | Yubico
Description not found...
SecurityAdvisory 2015-04-14
The source code contains a logical flaw related to user PIN aka PW1 verification that allows an attacker with local host privileges and/or physical proximity NFC to perform security operations without knowledge of the user’s PIN code...