{ "affected": [ { "database_specific": { "unresolved_ranges": [ { "events": [ { "introduced": "0" }, { "last_affected": "33" } ] } ] }, "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "last_affected": "2.0.2" } ] }, "events": [ { "introduced": "0" }, { "last_affected": "8ada38bdcaa032c0747487fcd72eb7c5267369d1" } ], "repo": "https://github.com/yubico/yubihsm-shell", "type": "GIT" } ] } ], "details": "An issue was discovered in the _send_secure_msg() function of yubihsm-shell through 2.0.2. The function does not validate the embedded length field of a message received from the device. This could lead to an oversized memcpy() call that will crash the running process. This could be used by an attacker to cause a denial of service.", "id": "CVE-2020-24388", "modified": "2026-03-13T21:52:31.454613834Z", "published": "2020-10-19T20:15:12.993Z", "references": [ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y77KQJW76M3PFOBFLBT6DLH2NWHYRNZO/" }, { "type": "ADVISORY", "url": "https://developers.yubico.com/yubihsm-shell/" }, { "type": "ADVISORY", "url": "https://github.com/Yubico/yubihsm-shell" }, { "type": "ADVISORY", "url": "https://www.yubico.com/support/security-advisories/ysa-2020-06/" }, { "type": "EVIDENCE", "url": "https://blog.inhq.net/posts/yubico-libyubihsm-vuln/" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" } ] }