CVE-2020-10184: 
Linux Debian vulnerability analysis and mitigation

The verify endpoint in YubiKey Validation Server before version 2.40 contained a vulnerability (CVE-2020-10184) that was discovered and disclosed in March 2020. The vulnerability affects the validation server's SQL query handling, where it does not check the length of SQL queries. This issue specifically impacts developers, partners, and customers who have used a YubiKey Validation Server to build a self-hosted one-time password (OTP) validation service. Importantly, this vulnerability does not affect YubiCloud services (Yubico Advisory).

The vulnerability stems from insufficient input validation in the verify API endpoint. While the verify endpoint performs basic validation on all fields prior to executing database queries, it does not check length parameters. This oversight in validation could allow attackers to submit large entries to the database. The severity of this issue is considered Important, as confirmed by multiple security advisories (Debian LTS, Yubico Advisory).

The vulnerability allows remote attackers to cause a denial of service through SQL injection attacks. The primary impact is the potential prevention of legitimate authentications in the default configuration. The level of impact varies depending on the specific configuration of the YubiKey Validation Server instance (Yubico Advisory).

The primary mitigation is to update to YubiKey Validation Server version 2.40 or later. Organizations should also confirm that their service configuration does not unnecessarily expose API endpoints. For sync API configuration, administrators should review their ykval-config.php file to ensure only necessary IP addresses are listed in the YKVAL_ALLOWED_SYNC_POOL array (Yubico Advisory).