Yubihsm Shell
Approved changes feed: RSS · Atom
cpe:2.3:a:yubico:yubihsm-shell:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Yubico (f47f12e0-b4db-5ed2-80cf-70347f747b11) |
|---|---|
| Product | Yubihsm Shell (64a99b54-9494-5af0-a766-e43e1753bd8d) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/yubico/yubihsm-shell |
purl2cpe | 2026-06-01 10:13:15.769775 |
pkg:rpm/fedora/yubihsm-shell |
purl2cpe | 2026-06-01 10:13:15.769778 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2021-32489 |
vulnerable | 2026-06-03 14:44:34.500121 |
Details available
MEDIUM (4.4)
An issue was discovered in the _send_secure_msg() function of Yubico yubihsm-shell through 2.0.3. The function does not correctly validate the embedded length field of an authenticated message received from the device because response_msg.st.len=8 can be accepted but triggers an integer overflow, which causes CRYPTO_cbc128_decrypt (in OpenSSL) to encounter an undersized buffer and experience a segmentation fault. The yubihsm-shell project is included in the YubiHSM 2 SDK product.
Published: 2021-05-10T21:20:49.000Z
Updated: 2024-08-03T23:17:29.560Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-27217 |
vulnerable | 2026-06-03 14:44:09.717660 |
Details available
An issue was discovered in the _send_secure_msg() function of Yubico yubihsm-shell through 2.0.3. The function does not correctly validate the embedded length field of an authenticated message received from the device. Out-of-bounds reads performed by aes_remove_padding() can crash the running process, depending on the memory layout. This could be used by an attacker to cause a client-side denial of service. The yubihsm-shell project is included in the YubiHSM 2 SDK product.
Published: 2021-03-04T17:45:33.000Z
Updated: 2024-08-03T20:40:47.490Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-24388 |
vulnerable | 2026-06-03 14:42:06.385600 |
Details available
An issue was discovered in the _send_secure_msg() function of yubihsm-shell through 2.0.2. The function does not validate the embedded length field of a message received from the device. This could lead to an oversized memcpy() call that will crash the running process. This could be used by an attacker to cause a denial of service.
Published: 2020-10-19T19:41:33.000Z
Updated: 2024-08-04T15:12:08.714Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-24387 |
vulnerable | 2026-06-03 14:42:06.385108 |
Details available
An issue was discovered in the yh_create_session() function of yubihsm-shell through 2.0.2. The function does not explicitly check the returned session id from the device. An invalid session id would lead to out-of-bounds read and write operations in the session array. This could be used by an attacker to cause a denial of service attack.
Published: 2020-10-19T19:39:23.000Z
Updated: 2024-08-04T15:12:08.557Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.