6.8

CVE-2021-31924

EPSS 0.09%
Published 26.05.2021 00:15:08
Last modified 21.11.2024 06:06:31
Source cve@mitre.org
Teams watchlist Login
Open Login

Yubico pam-u2f before 1.1.1 has a logic issue that, depending on the pam-u2f configuration and the application used, could lead to a local PIN bypass. This issue does not allow user presence (touch) or cryptographic signature verification to be bypassed, so an attacker would still need to physically possess and interact with the YubiKey or another enrolled authenticator. If pam-u2f is configured to require PIN authentication, and the application using pam-u2f allows the user to submit NULL as the PIN, pam-u2f will attempt to perform a FIDO2 authentication without PIN. If this authentication is successful, the PIN requirement is bypassed.

Affected products Warnungen 0 Metrics 3 CWE 1 References 8

Data is provided by the National Vulnerability Database (NVD)

Yubico ≫ Pam-u2f Version < 1.1.1

Fedoraproject ≫ Fedora Version34

Fedoraproject ≫ Fedora Version35

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.09%	0.256

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.8	0.9	5.9	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	4.6	3.9	6.4	AV:L/AC:L/Au:N/C:P/I:P/A:P

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://developers.yubico.com/pam-u2f/

Vendor Advisory

Product

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CRBVOZEMVO72FV4Z5O4GBGSURXHWRGD3/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IL3I5AKECLMK4ADLLACLOEF7H5CMNDP2/

https://security.gentoo.org/glsa/202208-11

Third Party Advisory

https://www.yubico.com/support/security-advisories/ysa-2021-03

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-31924

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-31924

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-31924

EUVD