CVE-2022-24584

Name of the Vulnerable Software and Affected Versions YubiKey (affected versions not specified)

Description The issue concerns incorrect access control in the Yubico OTP functionality of the YubiKey hardware tokens and the Yubico OTP validation server. The Yubico OTP is supposed to create hardware-bound second-factor credentials. A user can reprogram the OTP functionality using the Yubico Personalization Tool and then upload the new configuration to Yubico's OTP validation servers. The vendor disputes this issue, stating that a YubiKey device cannot prevent a user from deciding to store a secret value elsewhere after it has been imported into the device.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.