Denial of Service Vulnerability in Yubico YubiHSM Connector
CVE-2021-28484

7.5HIGH

Key Information:

Vendor

Yubico

Status
Yubihsm Connector
Vendor
CVE Published:
14 April 2021

What is CVE-2021-28484?

An issue was identified in the /api/connector endpoint handler of the Yubico YubiHSM Connector prior to version 3.0.1, which fails to properly validate the length of incoming requests. This oversight can cause the connector to become unresponsive, entering a loop while waiting for the YubiHSM to respond. As a consequence, any operations are halted, and the only remedy is to restart the yubihsm-connector. Attackers can exploit this vulnerability by sending data requests of 0, 1, or 2 bytes, potentially disrupting service.

References

https://github.com/Yubico/yubihsm-connector/releases
x_refsource_MISC
https://www.yubico.com/support/security-advisories/ysa-20...
x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.