The sync endpoint in YubiKey Validation Server before 2.40 allows remote attackers to replay an OTP. NOTE: this issue is potentially relevant to persons outside Yubico who operate a self-hosted OTP validation service with a non-default configuration such as an open sync pool; the issue does NOT affect YubiCloud. References: https://github.com/Yubico/yubikey-val/releases/tag/yubikey-val-2.40 https://www.yubico.com/support/security-advisories/ysa-2020-01/
Created yubikey-val tracking bugs for this issue: Affects: epel-6 [bug 1812226] Affects: fedora-all [bug 1812225]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.