Skip to content

Infinite loop in Yubico yubihsm-connector

High severity GitHub Reviewed Published Feb 15, 2022 to the GitHub Advisory Database • Updated Feb 1, 2023

Package

gomod github.com/Yubico/yubihsm-connector (Go)

Affected versions

< 3.0.1

Patched versions

3.0.1

Description

An issue was discovered in the /api/connector endpoint handler in Yubico yubihsm-connector before 3.0.1 (in YubiHSM SDK before 2021.04). The handler did not validate the length of the request, which can lead to a state where yubihsm-connector becomes stuck in a loop waiting for the YubiHSM to send it data, preventing any further operations until the yubihsm-connector is restarted. An attacker can send 0, 1, or 2 bytes to trigger this.

References

Published by the National Vulnerability Database Apr 14, 2021
Reviewed May 7, 2021
Published to the GitHub Advisory Database Feb 15, 2022
Last updated Feb 1, 2023

Severity

High

EPSS score

0.176%
(55th percentile)

Weaknesses

CVE ID

CVE-2021-28484

GHSA ID

GHSA-8m9g-647g-5pxw

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.