CVE-2021-28484Infinite Loop in Yubico Yubihsm-connector

CWE-835Infinite Loop3 documents3 sources
Severity
7.5HIGHNVD
EPSS
0.6%
top 31.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Yubico Yubihsm-connectorYubico Yubihsm ConnectorFedoraproject Fedora
Timeline
PublishedApr 14
Latest updateFeb 15

Description

An issue was discovered in the /api/connector endpoint handler in Yubico yubihsm-connector before 3.0.1 (in YubiHSM SDK before 2021.04). The handler did not validate the length of the request, which can lead to a state where yubihsm-connector becomes stuck in a loop waiting for the YubiHSM to send it data, preventing any further operations until the yubihsm-connector is restarted. An attacker can send 0, 1, or 2 bytes to trigger this.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

Also affects: Fedora 34

🔴Vulnerability Details

2
GHSA
Infinite loop in Yubico yubihsm-connector2022-02-15
OSV
Infinite loop in Yubico yubihsm-connector2022-02-15
CVE-2021-28484 — Infinite Loop | cvebase