CVE-2020-15001
Summary
| CVE | CVE-2020-15001 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-07-09 19:15:00 UTC |
| Updated | 2021-07-21 11:39:00 UTC |
| Description | An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when updating NFC specific components of the OTP configurations. This may allow an attacker to access configured OTPs and passwords stored in slots that were not configured by the user to be read over NFC, despite a user having set an access code. (Users who have not set an access code, or who have not configured the OTP slots, are not impacted by this issue.) |
Risk And Classification
Problem Types: CWE-862
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Yubico | Yubikey 5 Nfc | - | All | All | All |
| Hardware | Yubico | Yubikey 5 Nfc | - | All | All | All |
| Operating System | Yubico | Yubikey 5 Nfc Firmware | All | All | All | All |
| Operating System | Yubico | Yubikey 5 Nfc Firmware | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Security Advisory YSA-2020-04 - Yubico | CONFIRM | www.yubico.com | Exploit, Mitigation, Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.