CVE-2021-27217
First published: Thu Mar 04 2021(Updated: )
An issue was discovered in the _send_secure_msg() function of Yubico yubihsm-shell through 2.0.3. The function does not correctly validate the embedded length field of an authenticated message received from the device. Out-of-bounds reads performed by aes_remove_padding() can crash the running process, depending on the memory layout. This could be used by an attacker to cause a client-side denial of service. The yubihsm-shell project is included in the YubiHSM 2 SDK product.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Yubico YubiHSM Shell | <=2.0.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-27217?
CVE-2021-27217 is a vulnerability in the _send_secure_msg() function of Yubico yubihsm-shell through version 2.0.3. It allows for out-of-bounds reads that can crash the running process.
What is the severity of CVE-2021-27217?
The severity of CVE-2021-27217 is medium with a CVSS score of 4.4.
How does CVE-2021-27217 impact Yubico yubihsm-shell?
CVE-2021-27217 impacts Yubico yubihsm-shell by allowing for out-of-bounds reads that can crash the running process.
How can CVE-2021-27217 be fixed?
To fix CVE-2021-27217, update Yubico yubihsm-shell to version 2.0.4 or later.
Are there any references for CVE-2021-27217?
Yes, here are some references for CVE-2021-27217: [1] [2] [3]
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/author
- agent/references
- agent/weakness
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/yubico
- canonical/yubico yubihsm shell
- version/yubico yubihsm shell/2.0.3