Yubico YubiHSM-Shell 2.0.3

CPE Details

Yubico YubiHSM-Shell 2.0.3
yubico
yubihsm-shell
2.0.3
2020-11-02
16h55 +00:00
2020-11-02
16h55 +00:00
CPE NVD
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
Notifications manage

CPE Name: cpe:2.3:a:yubico:yubihsm-shell:2.0.3:*:*:*:*:*:*:*

Informations

Vendor

yubico

Product

yubihsm-shell

Version

2.0.3

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2021-32489 2021-05-10 19h20 +00:00 An issue was discovered in the _send_secure_msg() function of Yubico yubihsm-shell through 2.0.3. The function does not correctly validate the embedded length field of an authenticated message received from the device because response_msg.st.len=8 can be accepted but triggers an integer overflow, which causes CRYPTO_cbc128_decrypt (in OpenSSL) to encounter an undersized buffer and experience a segmentation fault. The yubihsm-shell project is included in the YubiHSM 2 SDK product.
4.4
Medium
CVE-2021-27217 2021-03-04 16h45 +00:00 An issue was discovered in the _send_secure_msg() function of Yubico yubihsm-shell through 2.0.3. The function does not correctly validate the embedded length field of an authenticated message received from the device. Out-of-bounds reads performed by aes_remove_padding() can crash the running process, depending on the memory layout. This could be used by an attacker to cause a client-side denial of service. The yubihsm-shell project is included in the YubiHSM 2 SDK product.
4.4
Medium
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.