CVE-2022-24584
Summary
| CVE | CVE-2022-24584 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-05-11 18:15:00 UTC |
| Updated | 2023-11-07 03:44:00 UTC |
| Description | ** DISPUTED ** Incorrect access control in Yubico OTP functionality of the YubiKey hardware tokens along with the Yubico OTP validation server. The Yubico OTP supposedly creates hardware bound second factor credentials. When a user reprograms the OTP functionality by "writing" it on a token using the Yubico Personalization Tool, they can then upload the new configuration to Yubicos OTP validation servers. NOTE: the vendor disputes this because there is no way for a YubiKey device to prevent a user from deciding that a secret value, which is imported into the device, should also be stored elsewhere. |
Risk And Classification
Problem Types: CWE-863
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Yubico demo website | MISC | demo.yubico.com | |
| CVE-2022-24584: Incorrect access control in Yubico OTP functionality of the Yu b - Pastebin.com | MISC | pastebin.com | |
| Yubico OTP key upload | MISC | upload.yubico.com | |
| Response to the disputing comments from the Vendor:Nowhere is claimed that t - Pastebin.com | MISC | pastebin.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.