CVE-2021-28484

Published: Apr 14, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An issue was discovered in the /api/connector endpoint handler in Yubico yubihsm-connector before 3.0.1 (in YubiHSM SDK before 2021.04). The handler did not validate the length of the request, which can lead to a state where yubihsm-connector becomes stuck in a loop waiting for the YubiHSM to send it data, preventing any further operations until the yubihsm-connector is restarted. An attacker can send 0, 1, or 2 bytes to trigger this.

Affected (2)

Products: Yubico: Yubihsm Connector · Fedoraproject: Fedora

1 product

Yubihsm Connector

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Yubico Yubihsm Connector	Before 3.0.1

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 34

Related CWEs

Loop with Unreachable Exit Condition ('Infinite Loop')

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

References (6)

https://github.com/Yubico/yubihsm-connector/releases

Source: cve@mitre.org

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B7Q2KGXSPQEEONAWMFZRVH2TXWX3QPCQ/

Source: cve@mitre.org

https://www.yubico.com/support/security-advisories/ysa-2021-02/

Source: cve@mitre.org

Vendor Advisory

https://github.com/Yubico/yubihsm-connector/releases

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B7Q2KGXSPQEEONAWMFZRVH2TXWX3QPCQ/

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.yubico.com/support/security-advisories/ysa-2021-02/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.