Yubico.comYSA-2020-01Security advisory YSA-2020-01 - Yubico
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
0.007 Low
EPSS
Percentile
80.2%
Yubico received a report from LinkedIn Information Security indicating there is insufficient data validation in the open-source project for YubiKey Validation Server (git: yubikey-val). Yubico verified the issue and has made a security update available to mitigate this issue and enhance the validation of information sent to the APIs. The next major release of the YubiKey Validation Server will become available by July 2020.
This issue potentially affects developers, partners, and customers who have used a YubiKey Validation Server to build a self-hosted one-time password (OTP) validation service. The default configuration of the service only exposes the verify API, which could allow an attacker to perform a denial of service, potentially preventing legitimate authentications. Additionally, if the configuration has been modified to expose the sync API, then this vulnerability could potentially be used by an attacker to replay a previously used OTP.
Related
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
0.007 Low
EPSS
Percentile
80.2%