Insufficient Length Validation in Yubico libykpiv Affects Sensitive Information Security
CVE-2020-13131

4.3MEDIUM

Key Information:

Vendor

Yubico

Status
Libykpiv
Vendor
CVE Published:
9 July 2020

What is CVE-2020-13131?

An issue in Yubico's libykpiv library, specifically in the lib/util.c file, can lead to insecure handling of length fields during communication with PIV tokens. This flaw allows a malicious PIV token to misrepresent the length fields during RSA key generation process, resulting in a potential memory leak where sensitive data, such as PINs, passwords, and cryptographic keys, could be exposed. The stack memory may inadvertently be copied into heap memory, which, when processed by the caller, could allow this sensitive information to cross trust boundaries, posing significant security risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://blog.inhq.net/posts/yubico-libykpiv-vuln/
x_refsource_MISC
https://www.yubico.com/products/services-software/downloa...
x_refsource_CONFIRM

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.