First published: Wed May 11 2022(Updated: )
** DISPUTED ** Incorrect access control in Yubico OTP functionality of the YubiKey hardware tokens along with the Yubico OTP validation server. The Yubico OTP supposedly creates hardware bound second factor credentials. When a user reprograms the OTP functionality by "writing" it on a token using the Yubico Personalization Tool, they can then upload the new configuration to Yubicos OTP validation servers. NOTE: the vendor disputes this because there is no way for a YubiKey device to prevent a user from deciding that a secret value, which is imported into the device, should also be stored elsewhere.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Yubico OTP | ||
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2022-24584.
The severity of CVE-2022-24584 is medium, with a severity value of 6.5.
The affected software for CVE-2022-24584 is Yubico OTP.
The Common Weakness Enumeration (CWE) ID for CVE-2022-24584 is CWE-863.
Yes, there are references for CVE-2022-24584. You can find them at the following URLs: [reference 1](https://demo.yubico.com/otp/verify), [reference 2](https://pastebin.com/7iLR1EbW), [reference 3](https://pastebin.com/xAh8uV6J).