Fedora Account System
Red Hat Associate
Red Hat Customer
The verify endpoint in YubiKey Validation Server before 2.40 does not check the length of SQL queries, which allows remote attackers to cause a denial of service, aka SQL injection. NOTE: this issue is potentially relevant to persons outside Yubico who operate a self-hosted OTP validation service; the issue does NOT affect YubiCloud. References: https://github.com/Yubico/yubikey-val/releases/tag/yubikey-val-2.40 https://www.yubico.com/support/security-advisories/ysa-2020-01/
Created yubikey-val tracking bugs for this issue: Affects: epel-6 [bug 1812234] Affects: fedora-all [bug 1812235]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.