CVE-2020-10184
Last modified
CVE-2020-10184 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. The verify endpoint in YubiKey Validation Server before 2.40 does not check the length of SQL queries, which allows remote attackers to cause a denial of service, aka SQL injection. NOTE: this issue is potentially relevant to persons outside Yubico who operate a self-hosted OTP validation service; the issue does NOT affect YubiCloud.. EPSS estimates a 1.50% chance of exploitation in the next 30 days.
Description
The verify endpoint in YubiKey Validation Server before 2.40 does not check the length of SQL queries, which allows remote attackers to cause a denial of service, aka SQL injection. NOTE: this issue is potentially relevant to persons outside Yubico who operate a self-hosted OTP validation service; the issue does NOT affect YubiCloud.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Yubico | Yubikey One Time Password Validation Server | < 2.40 |
References
- https://github.com/Yubico/yubikey-val/releases/tag/yubikey-val-2.40Release Notes, Third Party Advisory
- https://www.yubico.com/support/security-advisories/ysa-2020-01/Exploit, Vendor Advisory
- https://github.com/Yubico/yubikey-val/releases/tag/yubikey-val-2.40Release Notes, Third Party Advisory
- https://www.yubico.com/support/security-advisories/ysa-2020-01/Exploit, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-10184?
How severe is CVE-2020-10184?
How do I fix CVE-2020-10184?
Are you affected by CVE-2020-10184?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST