CVE-2023-39908

The PKCS11 module of the YubiHSM 2 SDK through 2023.01 does not properly validate the length of specific read operations on object metadata. This may lead to disclosure of uninitialized and previously used memory.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 43%
VendorProductVersion
yubicoyubihsm_2_sdk
𝑥
< 2023.08
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://blog.inhq.net/posts/yubico-yubihsm-pkcs-vuln/
https://www.yubico.com/support/security-advisories/ysa-2023-01/
https://blog.inhq.net/posts/yubico-yubihsm-pkcs-vuln/
https://www.yubico.com/support/security-advisories/ysa-2023-01/