Infinite loop in Yubico yubihsm-connector
High severity
GitHub Reviewed
Published
Feb 15, 2022
to the GitHub Advisory Database
•
Updated Feb 1, 2023
Package
Affected versions
< 3.0.1
Patched versions
3.0.1
Description
Published by the National Vulnerability Database
Apr 14, 2021
Reviewed
May 7, 2021
Published to the GitHub Advisory Database
Feb 15, 2022
Last updated
Feb 1, 2023
An issue was discovered in the /api/connector endpoint handler in Yubico yubihsm-connector before 3.0.1 (in YubiHSM SDK before 2021.04). The handler did not validate the length of the request, which can lead to a state where yubihsm-connector becomes stuck in a loop waiting for the YubiHSM to send it data, preventing any further operations until the yubihsm-connector is restarted. An attacker can send 0, 1, or 2 bytes to trigger this.
References