Description
Yubico ykneo-openpgp before 1.0.10 has a typo in which an invalid PIN can be used. When first powered up, a signature will be issued even though the PIN has not been validated.
References (1)
Core 1
Core References
Exploit, Mitigation, Vendor Advisory x_refsource_misc
https://developers.yubico.com/ykneo-openpgp/SecurityAdvisory%202015-04-14.html
Scores
CVSS v3
8.8
EPSS
0.0065
EPSS Percentile
46.3%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-347
Status
published
Products (1)
yubico/ykneo-openpgp
< 1.0.10
Published
Mar 30, 2022
Tracked Since
Feb 18, 2026