Details of VAR-202007-0756

ID

VAR-202007-0756

CVE

CVE-2020-15001

TITLE

Yubico YubiKey 5 NFC Information Disclosure Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2020-52897 // CNNVD: CNNVD-202007-435

DESCRIPTION

An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when updating NFC specific components of the OTP configurations. This may allow an attacker to access configured OTPs and passwords stored in slots that were not configured by the user to be read over NFC, despite a user having set an access code. (Users who have not set an access code, or who have not configured the OTP slots, are not impacted by this issue.). Yubico YubiKey 5 NFC is a multi-protocol secret key device supporting NFC (Near Field Communication) function from Yubico, Sweden

Trust: 2.16

sources: NVD: CVE-2020-15001 // JVNDB: JVNDB-2020-007812 // CNVD: CNVD-2020-52897

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-52897

AFFECTED PRODUCTS

vendor:	yubico	model:	yubikey 5 nfc	scope:	gte	version:	5.0.0	Trust: 1.0
vendor:	yubico	model:	yubikey 5 nfc	scope:	gte	version:	5.3.0	Trust: 1.0
vendor:	yubico	model:	yubikey 5 nfc	scope:	lte	version:	5.3.1	Trust: 1.0
vendor:	yubico	model:	yubikey 5 nfc	scope:	lte	version:	5.2.6	Trust: 1.0
vendor:	yubico	model:	yubikey 5 nfc	scope:	eq	version:	5.0.0 から 5.2.6	Trust: 0.8
vendor:	yubico	model:	yubikey 5 nfc	scope:	eq	version:	5.3.0 から 5.3.1	Trust: 0.8
vendor:	yubico	model:	yubikey nfc	scope:	eq	version:	5>=5.0.0,<=5.2.6	Trust: 0.6
vendor:	yubico	model:	yubikey nfc	scope:	eq	version:	5>=5.3.0,<=5.3.1	Trust: 0.6

sources: CNVD: CNVD-2020-52897 // JVNDB: JVNDB-2020-007812 // NVD: CVE-2020-15001

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-15001
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2020-007812
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-52897
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-202007-435
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2020-15001
severity:	LOW
baseScore:	2.9
vectorString:	AV:A/AC:M/AU:N/C:P/I:N/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	5.5
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-007812
severity:	LOW
baseScore:	2.9
vectorString:	AV:A/AC:M/AU:N/C:P/I:N/A:N
accessVector:	ADJACENT NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-52897
severity:	LOW
baseScore:	2.9
vectorString:	AV:A/AC:M/AU:N/C:P/I:N/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	5.5
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-15001
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	ADJACENT
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.6
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-007812
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	ADJACENT NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-52897 // JVNDB: JVNDB-2020-007812 // CNNVD: CNNVD-202007-435 // NVD: CVE-2020-15001

PROBLEMTYPE DATA

problemtype:	CWE-862	Trust: 1.0
problemtype:	CWE-200	Trust: 0.8

sources: JVNDB: JVNDB-2020-007812 // NVD: CVE-2020-15001

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202007-435

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-202007-435

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-007812

PATCH

title:

Security Advisory YSA-2020-04

url:

https://www.yubico.com/support/security-advisories/ysa-2020-04/

Trust: 0.8

sources: JVNDB: JVNDB-2020-007812

EXTERNAL IDS

db:	NVD	id:	CVE-2020-15001	Trust: 3.0
db:	JVNDB	id:	JVNDB-2020-007812	Trust: 0.8
db:	CNVD	id:	CNVD-2020-52897	Trust: 0.6
db:	CNNVD	id:	CNNVD-202007-435	Trust: 0.6

sources: CNVD: CNVD-2020-52897 // JVNDB: JVNDB-2020-007812 // CNNVD: CNNVD-202007-435 // NVD: CVE-2020-15001

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2020-15001	Trust: 2.0
url:	https://www.yubico.com/support/security-advisories/ysa-2020-04/	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-15001	Trust: 0.8

sources: CNVD: CNVD-2020-52897 // JVNDB: JVNDB-2020-007812 // CNNVD: CNNVD-202007-435 // NVD: CVE-2020-15001

SOURCES

db:	CNVD	id:	CNVD-2020-52897
db:	JVNDB	id:	JVNDB-2020-007812
db:	CNNVD	id:	CNNVD-202007-435
db:	NVD	id:	CVE-2020-15001

LAST UPDATE DATE

2024-11-23T21:59:09.225000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-52897	date:	2020-09-19T00:00:00
db:	JVNDB	id:	JVNDB-2020-007812	date:	2020-08-27T00:00:00
db:	CNNVD	id:	CNNVD-202007-435	date:	2020-07-17T00:00:00
db:	NVD	id:	CVE-2020-15001	date:	2024-11-21T05:04:36.060

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-52897	date:	2020-09-19T00:00:00
db:	JVNDB	id:	JVNDB-2020-007812	date:	2020-08-27T00:00:00
db:	CNNVD	id:	CNNVD-202007-435	date:	2020-07-09T00:00:00
db:	NVD	id:	CVE-2020-15001	date:	2020-07-09T19:15:11.057