Vulnerability Description
An issue was discovered in Yubico libykpiv before 2.1.0. An attacker can trigger an incorrect free() in the ykpiv_util_generate_key() function in lib/util.c through incorrect error handling code. This could be used to cause a denial of service attack.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Yubico | Libykpiv | < 2.1.0 |
| Yubico | Piv Tool Manager | < 2.0.0 |
| Yubico | Yubikey Smart Card Minidriver | <= 4.1.0.172 |
Related Weaknesses (CWE)
References
- https://blog.inhq.net/posts/yubico-libykpiv-vuln/ExploitThird Party Advisory
- https://www.yubico.com/support/security-advisories/ysa-2020-02/Vendor Advisory
- https://blog.inhq.net/posts/yubico-libykpiv-vuln/ExploitThird Party Advisory
- https://www.yubico.com/support/security-advisories/ysa-2020-02/Vendor Advisory
FAQ
What is CVE-2020-13132?
CVE-2020-13132 is a vulnerability with a CVSS score of 4.6 (MEDIUM). An issue was discovered in Yubico libykpiv before 2.1.0. An attacker can trigger an incorrect free() in the ykpiv_util_generate_key() function in lib/util.c through incorrect error handling code. This...
How severe is CVE-2020-13132?
CVE-2020-13132 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-13132?
Check the references section above for vendor advisories and patch information. Affected products include: Yubico Libykpiv, Yubico Piv Tool Manager, Yubico Yubikey Smart Card Minidriver.