CVE-2020-10185: 
Linux Debian vulnerability analysis and mitigation

The sync endpoint in YubiKey Validation Server before version 2.40 contains a security vulnerability identified as CVE-2020-10185. This vulnerability was discovered and disclosed in March 2020, affecting the YubiKey Validation Server's OTP validation service. The issue specifically impacts self-hosted OTP validation services with non-default configurations such as an open sync pool, and notably does not affect YubiCloud (Yubico Advisory).

The vulnerability stems from insufficient data validation in the sync endpoint of the YubiKey Validation Server. The CVSS v3.1 base score is 8.6 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H. The vulnerability is classified under CWE-294 (Authentication Bypass by Capture-replay) (NVD).

The vulnerability allows remote attackers to replay a previously used One-Time Password (OTP). This primarily affects organizations running self-hosted validation services with custom configurations that expose the sync API endpoint (Yubico Advisory).

Organizations should update their YubiKey Validation Server deployment to version 2.40 or later. Additionally, administrators should review their sync API configuration in ykval-config.php to ensure no unnecessary API endpoints are exposed. The configuration should be checked for uncommented IP addresses in the YKVAL_ALLOWED_SYNC_POOL array (Yubico Advisory, Debian Advisory).