SecTeer VulnDetect & PatchPro Support Forum VulnDetect
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Download VulnDetect Installer
    • Login

    [Solved] Yubikey manager: not displayed as insecure with an embedded insecure python and lower version recommended

    Scheduled Pinned Locked Moved Solved Detection Issues
    6 Posts 3 Posters 795 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      GregAlexandre
      last edited by OLLI_S

      Hi,

      See picture below:
      91cb8e55-5b68-46f8-b108-8bc0a605de2c-image.png

      Regards.

      T 1 Reply Last reply Reply Quote 0
      • T Offline
        Tom VulnDetect Team Member @GregAlexandre
        last edited by

        @gregalexandre I don't know how Python is utilized by Yubikey Manager, so it is hard to assess if it is affected by the vulnerability in Python.

        Unless Yubikey (or some independent researcher) makes any statements that indicate Yubikey Manager to be affected, then we will not flag it as being affected.

        For some "libraries" it is dead obvious whether the "parent" product is affected (or not) by a vulnerability, but in a case like this, it is dependent upon their specific implementation of Python (and I have no knowledge about how they use it). The same goes for many applications that utilize Java.

        Given the latest vuln that was fixed in Python, I wouldn't worry much though.

        /Tom
        Download the latest SecTeer VulnDetect agent here:
        https://vulndetect.com/dl/secteerSetup.exe

        G 1 Reply Last reply Reply Quote 0
        • G Offline
          GregAlexandre @Tom
          last edited by

          @tom :
          Yubikey manager may not be affected by the vulnerability of Python. But it may allow wrong usage of the version of Python they install.

          Yes, the problem is the same with java, where you can have multiple unsafe versions of java installed and not updated by multiple products.

          During an attack, the attacker may choose to use the vulnerable (embedded) product to run malicious actions (eg; the one that allow it to increase it rights).

          I do not look at the python vulnerability. It may be acceptable. But this not coherent with defense-in-depth.

          I understand your point of view even if I cannot agree.

          Regards.

          OLLI_SO 1 Reply Last reply Reply Quote 0
          • OLLI_SO Offline
            OLLI_S Community Moderator @GregAlexandre
            last edited by

            @gregalexandre Tell me, if this can be closed. Thank you!

            G 1 Reply Last reply Reply Quote 0
            • G Offline
              GregAlexandre @OLLI_S
              last edited by

              @olli_s : you can close as lower version of Yubikey is no more recommended.

              OLLI_SO 1 Reply Last reply Reply Quote 0
              • OLLI_SO Offline
                OLLI_S Community Moderator @GregAlexandre
                last edited by

                @gregalexandre OK, then I mark this issue as solved.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Download SecTeer Personal VulnDetect - an alternative to the long lost Secunia PSI

                Please see our Privacy and Data Processing Policy
                Sponsored and operated by SecTeer | VulnDetect is a replacement for the EoL Secunia PSI
                Forum software by NodeBB