First published: Thu Mar 05 2020(Updated: )
The verify endpoint in YubiKey Validation Server before 2.40 does not check the length of SQL queries, which allows remote attackers to cause a denial of service, aka SQL injection. NOTE: this issue is potentially relevant to persons outside Yubico who operate a self-hosted OTP validation service; the issue does NOT affect YubiCloud.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Yubico Yubikey One Time Password Validation Server | <2.40 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2020-10184.
The severity rating of CVE-2020-10184 is high with a score of 7.5.
The affected software for CVE-2020-10184 is Yubico Yubikey One Time Password Validation Server up to version 2.39.
CVE-2020-10184 allows remote attackers to cause a denial of service through SQL injection.
Yes, the fix for CVE-2020-10184 was released in YubiKey Validation Server version 2.40.