Vulnerability Description
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when updating NFC specific components of the OTP configurations. This may allow an attacker to access configured OTPs and passwords stored in slots that were not configured by the user to be read over NFC, despite a user having set an access code. (Users who have not set an access code, or who have not configured the OTP slots, are not impacted by this issue.)
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Yubico | Yubikey 5 Nfc Firmware | >= 5.0.0, <= 5.2.6 |
| Yubico | Yubikey 5 Nfc | - |
Related Weaknesses (CWE)
References
- https://www.yubico.com/support/security-advisories/ysa-2020-04/ExploitMitigationVendor Advisory
- https://www.yubico.com/support/security-advisories/ysa-2020-04/ExploitMitigationVendor Advisory
FAQ
What is CVE-2020-15001?
CVE-2020-15001 is a vulnerability with a CVSS score of 5.3 (MEDIUM). An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is i...
How severe is CVE-2020-15001?
CVE-2020-15001 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-15001?
Check the references section above for vendor advisories and patch information. Affected products include: Yubico Yubikey 5 Nfc Firmware, Yubico Yubikey 5 Nfc.