SecTeer VulnDetect Support Forum

    VulnDetect

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Download VulnDetect Installer

    [Solved] Yubikey manager: not displayed as insecure with an embedded insecure python and lower version recommended

    Solved Detection Issues
    3
    6
    215
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      GregAlexandre last edited by OLLI_S

      Hi,

      See picture below:
      91cb8e55-5b68-46f8-b108-8bc0a605de2c-image.png

      Regards.

      T 1 Reply Last reply Reply Quote 0
      • OLLI_S
        OLLI_S Community Moderator @GregAlexandre last edited by

        @gregalexandre OK, then I mark this issue as solved.

        1 Reply Last reply Reply Quote 0
        • G
          GregAlexandre @OLLI_S last edited by

          @olli_s : you can close as lower version of Yubikey is no more recommended.

          OLLI_S 1 Reply Last reply Reply Quote 0
          • OLLI_S
            OLLI_S Community Moderator @GregAlexandre last edited by

            @gregalexandre Tell me, if this can be closed. Thank you!

            G 1 Reply Last reply Reply Quote 0
            • G
              GregAlexandre @Tom last edited by

              @tom :
              Yubikey manager may not be affected by the vulnerability of Python. But it may allow wrong usage of the version of Python they install.

              Yes, the problem is the same with java, where you can have multiple unsafe versions of java installed and not updated by multiple products.

              During an attack, the attacker may choose to use the vulnerable (embedded) product to run malicious actions (eg; the one that allow it to increase it rights).

              I do not look at the python vulnerability. It may be acceptable. But this not coherent with defense-in-depth.

              I understand your point of view even if I cannot agree.

              Regards.

              OLLI_S 1 Reply Last reply Reply Quote 0
              • T
                Tom VulnDetect Team Member @GregAlexandre last edited by

                @gregalexandre I don't know how Python is utilized by Yubikey Manager, so it is hard to assess if it is affected by the vulnerability in Python.

                Unless Yubikey (or some independent researcher) makes any statements that indicate Yubikey Manager to be affected, then we will not flag it as being affected.

                For some "libraries" it is dead obvious whether the "parent" product is affected (or not) by a vulnerability, but in a case like this, it is dependent upon their specific implementation of Python (and I have no knowledge about how they use it). The same goes for many applications that utilize Java.

                Given the latest vuln that was fixed in Python, I wouldn't worry much though.

                /Tom
                Download the latest SecTeer VulnDetect agent here:
                https://vulndetect.com/dl/secteerSetup.exe

                G 1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Download SecTeer Personal VulnDetect - an alternative to the long lost Secunia PSI

                Please see our Privacy and Data Processing Policy
                Sponsored and operated by SecTeer | VulnDetect is a replacement for the EoL Secunia PSI
                Forum software by NodeBB