CVE-2022-24584
MEDIUMYubico OTP - Incorrect Authorization via Reprogrammed Token Configuration
Title source: llmDescription
Incorrect access control in Yubico OTP functionality of the YubiKey hardware tokens along with the Yubico OTP validation server. The Yubico OTP supposedly creates hardware bound second factor credentials. When a user reprograms the OTP functionality by "writing" it on a token using the Yubico Personalization Tool, they can then upload the new configuration to Yubicos OTP validation servers. NOTE: the vendor disputes this because there is no way for a YubiKey device to prevent a user from deciding that a secret value, which is imported into the device, should also be stored elsewhere
References (4)
Core 4
Core References
Vendor Advisory x_refsource_misc
https://upload.yubico.com/
Vendor Advisory x_refsource_misc
https://demo.yubico.com/otp/verify
Exploit, Third Party Advisory x_refsource_misc
https://pastebin.com/7iLR1EbW
Third Party Advisory x_refsource_misc
https://pastebin.com/xAh8uV6J
Scores
CVSS v3
6.5
EPSS
0.0096
EPSS Percentile
57.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-863
Status
published
Products (1)
yubico/otp
Published
May 11, 2022
Tracked Since
Feb 18, 2026