CVE-2020-15000
MEDIUM EPSS 48.6%
Published Jul 9, 20205y ago · Modified Jun 17, 20262w ago
5.9 CVSS 3.1
Published Jul 9, 2020 5y ago
Last Modified Jun 17, 2026 2w ago
Description
A PIN management problem was discovered on Yubico YubiKey 5 devices 5.2.0 to 5.2.6. OpenPGP has three passwords: Admin PIN, Reset Code, and User PIN. The Reset Code is used to reset the User PIN, but it is disabled by default. A flaw in the implementation of OpenPGP sets the Reset Code to a known value upon initialization. If the retry counter for the Reset Code is set to non-zero without changing the Reset Code, this known value can be used to reset the User PIN. To set the retry counters, the Admin PIN is required.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity High
Availability None
Threat Intelligence
EPSS Exploit Probability
48.6% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Affected Products 2
References 1
- yubico.com https://www.yubico.com/support/security-advisories/ysa-2020-05/
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.