PT-2023-27145 · Yubico · Yubihsm 2 Sdk

Christian Reitter

Published

2023-08-14

Updated

2023-08-25

CVE-2023-39908

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions YubiHSM 2 SDK versions through 2023.01

Description The PKCS11 module of the YubiHSM 2 SDK does not properly validate the length of specific read operations on object metadata. This may lead to disclosure of uninitialized and previously used memory.

Recommendations For YubiHSM 2 SDK versions through 2023.01, consider updating to a version later than 2023.01 to resolve the issue. As a temporary workaround, restrict access to the PKCS11 module to minimize the risk of exploitation. At the moment, there is no information about additional mitigation measures.

Fix

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-125

Related Identifiers

CVE-2023-39908

Affected Products

Yubihsm 2 Sdk

PT-2023-27145 · Yubico · Yubihsm 2 Sdk

CVE-2023-39908

Weakness Enumeration

Related Identifiers

Affected Products

References · 9