VYPR

yubihsm-shell

by Yubico

CVEs (5)

  • CVE-2021-43399HigDec 8, 2021
    risk 0.49cvss 7.5epss 0.01

    The Yubico YubiHSM YubiHSM2 library 2021.08, included in the yubihsm-shell project, does not properly validate the length of some operations including SSH signing requests, and some data operations received from a YubiHSM 2 device.

  • CVE-2020-24388HigOct 19, 2020
    risk 0.49cvss 7.5epss 0.02

    An issue was discovered in the _send_secure_msg() function of yubihsm-shell through 2.0.2. The function does not validate the embedded length field of a message received from the device. This could lead to an oversized memcpy() call that will crash the running process. This…

  • CVE-2020-24387HigOct 19, 2020
    risk 0.49cvss 7.5epss 0.02

    An issue was discovered in the yh_create_session() function of yubihsm-shell through 2.0.2. The function does not explicitly check the returned session id from the device. An invalid session id would lead to out-of-bounds read and write operations in the session array. This…

  • CVE-2021-32489MedMay 10, 2021
    risk 0.29cvss 4.4epss 0.01

    An issue was discovered in the _send_secure_msg() function of Yubico yubihsm-shell through 2.0.3. The function does not correctly validate the embedded length field of an authenticated message received from the device because response_msg.st.len=8 can be accepted but triggers an…

  • CVE-2021-27217MedMar 4, 2021
    risk 0.29cvss 4.4epss 0.02

    An issue was discovered in the _send_secure_msg() function of Yubico yubihsm-shell through 2.0.3. The function does not correctly validate the embedded length field of an authenticated message received from the device. Out-of-bounds reads performed by aes_remove_padding() can…