First published: Thu Jul 09 2020(Updated: )
An issue was discovered in Yubico libykpiv before 2.1.0. An attacker can trigger an incorrect free() in the ykpiv_util_generate_key() function in lib/util.c through incorrect error handling code. This could be used to cause a denial of service attack.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Yubico libykpiv | <2.1.0 | |
Yubico Piv Tool Manager | <2.0.0 | |
Yubico Yubikey Smart Card Minidriver | <=4.1.0.172 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of this issue is CVE-2020-13132.
The severity of CVE-2020-13132 is medium with a CVSS score of 4.6.
The affected software includes Yubico libykpiv before version 2.1.0, Yubico Piv Tool Manager before version 2.0.0, and Yubico Yubikey Smart Card Minidriver before version 4.1.0.172.
An attacker can trigger an incorrect free() through incorrect error handling code in the ykpiv_util_generate_key() function in lib/util.c, leading to a denial of service attack.
Yes, you can find more information about CVE-2020-13132 at the following URLs: https://blog.inhq.net/posts/yubico-libykpiv-vuln/ and https://www.yubico.com/support/security-advisories/ysa-2020-02/