ID CVE-2020-24387
Summary An issue was discovered in the yh_create_session() function of yubihsm-shell through 2.0.2. The function does not explicitly check the returned session id from the device. An invalid session id would lead to out-of-bounds read and write operations in the session array. This could be used by an attacker to cause a denial of service attack.
References
Vulnerable Configurations
  • cpe:2.3:a:yubico:yubihsm-shell:2.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:yubico:yubihsm-shell:2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:yubico:yubihsm-shell:2.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:yubico:yubihsm-shell:2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:yubico:yubihsm-shell:2.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:yubico:yubihsm-shell:2.0.2:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 21-07-2021 - 11:39)
Impact:
Exploitability:
CWE CWE-613
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
refmap via4
fedora FEDORA-2020-8afd443d46
misc
Last major update 21-07-2021 - 11:39
Published 19-10-2020 - 20:15
Last modified 21-07-2021 - 11:39
Back to Top