CVE-2020-15000

MEDIUM EPSS 48.6%
Published Jul 9, 20205y ago · Modified Jun 17, 20262w ago
5.9 CVSS 3.1
Medium
Find Similar
Published Jul 9, 2020 5y ago
Last Modified Jun 17, 2026 2w ago

Description

A PIN management problem was discovered on Yubico YubiKey 5 devices 5.2.0 to 5.2.6. OpenPGP has three passwords: Admin PIN, Reset Code, and User PIN. The Reset Code is used to reset the User PIN, but it is disabled by default. A flaw in the implementation of OpenPGP sets the Reset Code to a known value upon initialization. If the retry counter for the Reset Code is set to non-zero without changing the Reset Code, this known value can be used to reset the User PIN. To set the retry counters, the Admin PIN is required.

CVSS Details

Base Score
5.9
Exploitability
2.2
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
48.6% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Affected Products 2

VendorProductVersionRange
yubicoyubikey_5_nfc_firmware*≥5.2.0  –  ≤5.2.6
yubicoyubikey_5_nfc*any

References 1

  • yubico.com https://www.yubico.com/support/security-advisories/ysa-2020-05/
    MitigationVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.