OpenVPN before 2.0.1, when running with "verb 0" and without TLS authentication, does not properly flush the OpenSSL error queue when a client fails certificate authentication to the server and causes the error to be processed by the wrong client, which allows remote attackers to cause a denial of service (client disconnection) via a large number of failed authentication attempts.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | 2.0_rc17 |
| openvpn | openvpn | 2.0_rc14 |
| openvpn | openvpn | 2.0_test3 |
| openvpn | openvpn | 2.0_test22 |
| openvpn | openvpn | 2.0_test2 |
| openvpn | openvpn | 2.0_rc16 |
| openvpn | openvpn | 2.0_rc20 |
| openvpn | openvpn | 2.0.1_rc7 |
| openvpn | openvpn | 2.0_test16 |
| openvpn | openvpn | 2.0_test6 |
| openvpn | openvpn | 2.0_beta9 |
| openvpn | openvpn | 2.0_rc7 |
| openvpn | openvpn | 2.0_rc1 |
| openvpn | openvpn | 2.0.1_rc2 |
| openvpn | openvpn | 2.0_test27 |
| openvpn | openvpn | 2.0 |
| openvpn | openvpn | 2.0_test1 |
| openvpn | openvpn | 2.0.1_rc5 |
| openvpn | openvpn | 2.0_rc9 |
| openvpn | openvpn | 2.0_test8 |
| openvpn | openvpn | 2.0_test14 |
| openvpn | openvpn | 2.0_test12 |
| openvpn | openvpn | 2.0_test15 |
| openvpn | openvpn | 2.0_rc3 |
| openvpn | openvpn | 2.0_test21 |
| openvpn | openvpn | 2.0_beta13 |
| openvpn | openvpn | 2.0_test20 |
| openvpn | openvpn | 2.0_rc8 |
| openvpn | openvpn | 2.0_test26 |
| openvpn | openvpn | 2.0_test5 |
| openvpn | openvpn | 2.0_beta3 |
| openvpn | openvpn | 2.0_rc6 |
| openvpn | openvpn | 2.0_test23 |
| openvpn | openvpn | 2.0_beta4 |
| openvpn | openvpn | 2.0_test7 |
| openvpn | openvpn | 2.0.1_rc1 |
| openvpn | openvpn | 2.0_rc15 |
| openvpn | openvpn | 2.0_rc4 |
| openvpn | openvpn | 2.0_test11 |
| openvpn | openvpn | 2.0_beta2 |
| openvpn | openvpn | 2.0_beta11 |
| openvpn | openvpn | 2.0_rc18 |
| openvpn | openvpn | 2.0_beta15 |
| openvpn | openvpn | 2.0_test17 |
| openvpn | openvpn | 2.0_beta18 |
| openvpn | openvpn | 2.0_test10 |
| openvpn | openvpn | 2.0_beta10 |
| openvpn | openvpn | 2.0.1_rc6 |
| openvpn | openvpn | 2.0_rc12 |
| openvpn | openvpn | 2.0_rc21 |
| openvpn | openvpn | 2.0_test9 |
| openvpn | openvpn | 2.0_beta28 |
| openvpn | openvpn | 2.0_test29 |
| openvpn | openvpn | 2.0_beta19 |
| openvpn | openvpn | 2.0_test24 |
| openvpn | openvpn | 2.0_beta6 |
| openvpn | openvpn | 2.0_beta16 |
| openvpn | openvpn | 2.0_beta5 |
| openvpn | openvpn | 2.0.1_rc4 |
| openvpn | openvpn | 2.0_test19 |
| openvpn | openvpn | 2.0_beta7 |
| openvpn | openvpn | 2.0_beta20 |
| openvpn | openvpn | 2.0_rc10 |
| openvpn | openvpn | 2.0_rc19 |
| openvpn | openvpn | 2.0.1_rc3 |
| openvpn | openvpn | 2.0_rc5 |
| openvpn | openvpn | 2.0_test18 |
| openvpn | openvpn | 2.0_beta1 |
| openvpn | openvpn | 2.0_beta8 |
| openvpn | openvpn | 2.0_beta17 |
| openvpn | openvpn | 2.0_beta12 |
| openvpn | openvpn | 2.0_rc11 |
| openvpn | openvpn | 2.0_rc2 |
| openvpn | openvpn | 2.0_rc13 |
OpenVPN before 2.0.1 does not properly flush the OpenSSL error queue when a packet can not be decrypted by the server, which allows remote authenticated attackers to cause a denial of service (client disconnection) via a large number of packets that can not be decrypted.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | 2.0_rc17 |
| openvpn | openvpn | 2.0_rc14 |
| openvpn | openvpn | 2.0_test3 |
| openvpn | openvpn | 2.0_test22 |
| openvpn | openvpn | 2.0_test2 |
| openvpn | openvpn | 2.0_rc16 |
| openvpn | openvpn | 2.0_rc20 |
| openvpn | openvpn | 2.0.1_rc7 |
| openvpn | openvpn | 2.0_test16 |
| openvpn | openvpn | 2.0_test6 |
| openvpn | openvpn | 2.0_beta9 |
| openvpn | openvpn | 2.0_rc7 |
| openvpn | openvpn | 2.0_rc1 |
| openvpn | openvpn | 2.0.1_rc2 |
| openvpn | openvpn | 2.0_test27 |
| openvpn | openvpn | 2.0 |
| openvpn | openvpn | 2.0_test1 |
| openvpn | openvpn | 2.0.1_rc5 |
| openvpn | openvpn | 2.0_rc9 |
| openvpn | openvpn | 2.0_test8 |
| openvpn | openvpn | 2.0_test14 |
| openvpn | openvpn | 2.0_test12 |
| openvpn | openvpn | 2.0_test15 |
| openvpn | openvpn | 2.0_rc3 |
| openvpn | openvpn | 2.0_test21 |
| openvpn | openvpn | 2.0_beta13 |
| openvpn | openvpn | 2.0_test20 |
| openvpn | openvpn | 2.0_rc8 |
| openvpn | openvpn | 2.0_test26 |
| openvpn | openvpn | 2.0_test5 |
| openvpn | openvpn | 2.0_beta3 |
| openvpn | openvpn | 2.0_rc6 |
| openvpn | openvpn | 2.0_test23 |
| openvpn | openvpn | 2.0_beta4 |
| openvpn | openvpn | 2.0_test7 |
| openvpn | openvpn | 2.0.1_rc1 |
| openvpn | openvpn | 2.0_rc15 |
| openvpn | openvpn | 2.0_rc4 |
| openvpn | openvpn | 2.0_test11 |
| openvpn | openvpn | 2.0_beta2 |
| openvpn | openvpn | 2.0_beta11 |
| openvpn | openvpn | 2.0_rc18 |
| openvpn | openvpn | 2.0_beta15 |
| openvpn | openvpn | 2.0_test17 |
| openvpn | openvpn | 2.0_beta18 |
| openvpn | openvpn | 2.0_test10 |
| openvpn | openvpn | 2.0_beta10 |
| openvpn | openvpn | 2.0.1_rc6 |
| openvpn | openvpn | 2.0_rc12 |
| openvpn | openvpn | 2.0_rc21 |
| openvpn | openvpn | 2.0_test9 |
| openvpn | openvpn | 2.0_beta28 |
| openvpn | openvpn | 2.0_test29 |
| openvpn | openvpn | 2.0_beta19 |
| openvpn | openvpn | 2.0_test24 |
| openvpn | openvpn | 2.0_beta6 |
| openvpn | openvpn | 2.0_beta16 |
| openvpn | openvpn | 2.0_beta5 |
| openvpn | openvpn | 2.0.1_rc4 |
| openvpn | openvpn | 2.0_test19 |
| openvpn | openvpn | 2.0_beta7 |
| openvpn | openvpn | 2.0_beta20 |
| openvpn | openvpn | 2.0_rc10 |
| openvpn | openvpn | 2.0_rc19 |
| openvpn | openvpn | 2.0.1_rc3 |
| openvpn | openvpn | 2.0_rc5 |
| openvpn | openvpn | 2.0_test18 |
| openvpn | openvpn | 2.0_beta1 |
| openvpn | openvpn | 2.0_beta8 |
| openvpn | openvpn | 2.0_beta17 |
| openvpn | openvpn | 2.0_beta12 |
| openvpn | openvpn | 2.0_rc11 |
| openvpn | openvpn | 2.0_rc2 |
| openvpn | openvpn | 2.0_rc13 |
OpenVPN before 2.0.1, when running in "dev tap" Ethernet bridging mode, allows remote authenticated clients to cause a denial of service (memory exhaustion) via a flood of packets with a large number of spoofed MAC addresses.
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | 2.0_rc17 |
| openvpn | openvpn | 2.0_rc14 |
| openvpn | openvpn | 2.0_test3 |
| openvpn | openvpn | 2.0_test22 |
| openvpn | openvpn | 2.0_test2 |
| openvpn | openvpn | 2.0_rc16 |
| openvpn | openvpn | 2.0_rc20 |
| openvpn | openvpn | 2.0.1_rc7 |
| openvpn | openvpn | 2.0_test16 |
| openvpn | openvpn | 2.0_test6 |
| openvpn | openvpn | 2.0_beta9 |
| openvpn | openvpn | 2.0_rc7 |
| openvpn | openvpn | 2.0_rc1 |
| openvpn | openvpn | 2.0.1_rc2 |
| openvpn | openvpn | 2.0_test27 |
| openvpn | openvpn | 2.0 |
| openvpn | openvpn | 2.0_test1 |
| openvpn | openvpn | 2.0.1_rc5 |
| openvpn | openvpn | 2.0_rc9 |
| openvpn | openvpn | 2.0_test8 |
| openvpn | openvpn | 2.0_test14 |
| openvpn | openvpn | 2.0_test12 |
| openvpn | openvpn | 2.0_test15 |
| openvpn | openvpn | 2.0_rc3 |
| openvpn | openvpn | 2.0_test21 |
| openvpn | openvpn | 2.0_beta13 |
| openvpn | openvpn | 2.0_test20 |
| openvpn | openvpn | 2.0_rc8 |
| openvpn | openvpn | 2.0_test26 |
| openvpn | openvpn | 2.0_test5 |
| openvpn | openvpn | 2.0_beta3 |
| openvpn | openvpn | 2.0_rc6 |
| openvpn | openvpn | 2.0_test23 |
| openvpn | openvpn | 2.0_beta4 |
| openvpn | openvpn | 2.0_test7 |
| openvpn | openvpn | 2.0.1_rc1 |
| openvpn | openvpn | 2.0_rc15 |
| openvpn | openvpn | 2.0_rc4 |
| openvpn | openvpn | 2.0_test11 |
| openvpn | openvpn | 2.0_beta2 |
| openvpn | openvpn | 2.0_beta11 |
| openvpn | openvpn | 2.0_rc18 |
| openvpn | openvpn | 2.0_beta15 |
| openvpn | openvpn | 2.0_test17 |
| openvpn | openvpn | 2.0_beta18 |
| openvpn | openvpn | 2.0_test10 |
| openvpn | openvpn | 2.0_beta10 |
| openvpn | openvpn | 2.0.1_rc6 |
| openvpn | openvpn | 2.0_rc12 |
| openvpn | openvpn | 2.0_rc21 |
| openvpn | openvpn | 2.0_test9 |
| openvpn | openvpn | 2.0_beta28 |
| openvpn | openvpn | 2.0_test29 |
| openvpn | openvpn | 2.0_beta19 |
| openvpn | openvpn | 2.0_test24 |
| openvpn | openvpn | 2.0_beta6 |
| openvpn | openvpn | 2.0_beta16 |
| openvpn | openvpn | 2.0_beta5 |
| openvpn | openvpn | 2.0.1_rc4 |
| openvpn | openvpn | 2.0_test19 |
| openvpn | openvpn | 2.0_beta7 |
| openvpn | openvpn | 2.0_beta20 |
| openvpn | openvpn | 2.0_rc10 |
| openvpn | openvpn | 2.0_rc19 |
| openvpn | openvpn | 2.0.1_rc3 |
| openvpn | openvpn | 2.0_rc5 |
| openvpn | openvpn | 2.0_test18 |
| openvpn | openvpn | 2.0_beta1 |
| openvpn | openvpn | 2.0_beta8 |
| openvpn | openvpn | 2.0_beta17 |
| openvpn | openvpn | 2.0_beta12 |
| openvpn | openvpn | 2.0_rc11 |
| openvpn | openvpn | 2.0_rc2 |
| openvpn | openvpn | 2.0_rc13 |
Race condition in OpenVPN before 2.0.1, when --duplicate-cn is not enabled, allows remote attackers to cause a denial of service (server crash) via simultaneous TCP connections from multiple clients that use the same client certificate.
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | 2.0_rc17 |
| openvpn | openvpn | 2.0_rc14 |
| openvpn | openvpn | 2.0_test3 |
| openvpn | openvpn | 2.0_test22 |
| openvpn | openvpn | 2.0_test2 |
| openvpn | openvpn | 2.0_rc16 |
| openvpn | openvpn | 2.0_rc20 |
| openvpn | openvpn | 2.0.1_rc7 |
| openvpn | openvpn | 2.0_test16 |
| openvpn | openvpn | 2.0_test6 |
| openvpn | openvpn | 2.0_beta9 |
| openvpn | openvpn | 2.0_rc7 |
| openvpn | openvpn | 2.0_rc1 |
| openvpn | openvpn | 2.0.1_rc2 |
| openvpn | openvpn | 2.0_test27 |
| openvpn | openvpn | 2.0 |
| openvpn | openvpn | 2.0_test1 |
| openvpn | openvpn | 2.0.1_rc5 |
| openvpn | openvpn | 2.0_rc9 |
| openvpn | openvpn | 2.0_test8 |
| openvpn | openvpn | 2.0_test14 |
| openvpn | openvpn | 2.0_test12 |
| openvpn | openvpn | 2.0_test15 |
| openvpn | openvpn | 2.0_rc3 |
| openvpn | openvpn | 2.0_test21 |
| openvpn | openvpn | 2.0_beta13 |
| openvpn | openvpn | 2.0_test20 |
| openvpn | openvpn | 2.0_rc8 |
| openvpn | openvpn | 2.0_test26 |
| openvpn | openvpn | 2.0_test5 |
| openvpn | openvpn | 2.0_beta3 |
| openvpn | openvpn | 2.0_rc6 |
| openvpn | openvpn | 2.0_test23 |
| openvpn | openvpn | 2.0_beta4 |
| openvpn | openvpn | 2.0_test7 |
| openvpn | openvpn | 2.0.1_rc1 |
| openvpn | openvpn | 2.0_rc15 |
| openvpn | openvpn | 2.0_rc4 |
| openvpn | openvpn | 2.0_test11 |
| openvpn | openvpn | 2.0_beta2 |
| openvpn | openvpn | 2.0_beta11 |
| openvpn | openvpn | 2.0_rc18 |
| openvpn | openvpn | 2.0_beta15 |
| openvpn | openvpn | 2.0_test17 |
| openvpn | openvpn | 2.0_beta18 |
| openvpn | openvpn | 2.0_test10 |
| openvpn | openvpn | 2.0_beta10 |
| openvpn | openvpn | 2.0.1_rc6 |
| openvpn | openvpn | 2.0_rc12 |
| openvpn | openvpn | 2.0_rc21 |
| openvpn | openvpn | 2.0_test9 |
| openvpn | openvpn | 2.0_beta28 |
| openvpn | openvpn | 2.0_test29 |
| openvpn | openvpn | 2.0_beta19 |
| openvpn | openvpn | 2.0_test24 |
| openvpn | openvpn | 2.0_beta6 |
| openvpn | openvpn | 2.0_beta16 |
| openvpn | openvpn | 2.0_beta5 |
| openvpn | openvpn | 2.0.1_rc4 |
| openvpn | openvpn | 2.0_test19 |
| openvpn | openvpn | 2.0_beta7 |
| openvpn | openvpn | 2.0_beta20 |
| openvpn | openvpn | 2.0_rc10 |
| openvpn | openvpn | 2.0_rc19 |
| openvpn | openvpn | 2.0.1_rc3 |
| openvpn | openvpn | 2.0_rc5 |
| openvpn | openvpn | 2.0_test18 |
| openvpn | openvpn | 2.0_beta1 |
| openvpn | openvpn | 2.0_beta8 |
| openvpn | openvpn | 2.0_beta17 |
| openvpn | openvpn | 2.0_beta12 |
| openvpn | openvpn | 2.0_rc11 |
| openvpn | openvpn | 2.0_rc2 |
| openvpn | openvpn | 2.0_rc13 |
Format string vulnerability in the foreign_option function in options.c for OpenVPN 2.0.x allows remote clients to execute arbitrary code via format string specifiers in a push of the dhcp-option command option.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn_access_server | 2.0.2 |
| openvpn | openvpn | 2.0_beta11 |
| openvpn | openvpn_access_server | 2.0.1 |
| openvpn | openvpn | 2.0 |
OpenVPN 2.x before 2.0.4, when running in TCP mode, allows remote attackers to cause a denial of service (segmentation fault) by forcing the accept function call to return an error status, which leads to a null dereference in an exception handler.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | 2.0_rc17 |
| openvpn | openvpn | 2.0.2_rc1 |
| openvpn | openvpn | 2.0_rc14 |
| openvpn | openvpn | 2.0_test3 |
| openvpn | openvpn | 2.0_test22 |
| openvpn | openvpn | 2.0_test2 |
| openvpn | openvpn | 2.0_rc16 |
| openvpn | openvpn | 2.0_rc20 |
| openvpn | openvpn | 2.0.1_rc7 |
| openvpn | openvpn | 2.0_test16 |
| openvpn | openvpn | 2.0_test6 |
| openvpn | openvpn | 2.0_beta9 |
| openvpn | openvpn | 2.0_rc7 |
| openvpn | openvpn | 2.0_rc1 |
| openvpn | openvpn | 2.0.1_rc2 |
| openvpn | openvpn | 2.0_test27 |
| openvpn | openvpn | 2.0 |
| openvpn | openvpn | 2.0_test1 |
| openvpn | openvpn | 2.0.1_rc5 |
| openvpn | openvpn | 2.0_rc9 |
| openvpn | openvpn | 2.0_test8 |
| openvpn | openvpn | 2.0_test14 |
| openvpn | openvpn | 2.0_test12 |
| openvpn | openvpn | 2.0_test15 |
| openvpn | openvpn | 2.0_rc3 |
| openvpn | openvpn | 2.0_test21 |
| openvpn | openvpn | 2.0_beta13 |
| openvpn | openvpn | 2.0_test20 |
| openvpn | openvpn | 2.0_rc8 |
| openvpn | openvpn | 2.0_test26 |
| openvpn | openvpn | 2.0_test5 |
| openvpn | openvpn | 2.0_beta3 |
| openvpn | openvpn_access_server | 2.0.2 |
| openvpn | openvpn | 2.0_rc6 |
| openvpn | openvpn | 2.0_test23 |
| openvpn | openvpn | 2.0_beta4 |
| openvpn | openvpn | 2.0_test7 |
| openvpn | openvpn | 2.0.1_rc1 |
| openvpn | openvpn | 2.0_rc15 |
| openvpn | openvpn | 2.0_rc4 |
| openvpn | openvpn | 2.0_test11 |
| openvpn | openvpn | 2.0_beta2 |
| openvpn | openvpn | 2.0_beta11 |
| openvpn | openvpn | 2.0_rc18 |
| openvpn | openvpn | 2.0_beta15 |
| openvpn | openvpn | 2.0_test17 |
| openvpn | openvpn | 2.0_beta18 |
| openvpn | openvpn | 2.0.3_rc1 |
| openvpn | openvpn | 2.0_test10 |
| openvpn | openvpn | 2.0_beta10 |
| openvpn | openvpn | 2.0.1_rc6 |
| openvpn | openvpn | 2.0_rc12 |
| openvpn | openvpn | 2.0_rc21 |
| openvpn | openvpn | 2.0_test9 |
| openvpn | openvpn | 2.0_beta28 |
| openvpn | openvpn | 2.0_test29 |
| openvpn | openvpn | 2.0_beta19 |
| openvpn | openvpn | 2.0_test24 |
| openvpn | openvpn | 2.0_beta6 |
| openvpn | openvpn | 2.0_beta16 |
| openvpn | openvpn | 2.0_beta5 |
| openvpn | openvpn | 2.0.1_rc4 |
| openvpn | openvpn | 2.0_test19 |
| openvpn | openvpn | 2.0_beta7 |
| openvpn | openvpn | 2.0_beta20 |
| openvpn | openvpn | 2.0_rc10 |
| openvpn | openvpn | 2.0_rc19 |
| openvpn | openvpn_access_server | 2.0.1 |
| openvpn | openvpn | 2.0.1_rc3 |
| openvpn | openvpn | 2.0_rc5 |
| openvpn | openvpn | 2.0_test18 |
| openvpn | openvpn | 2.0_beta1 |
| openvpn | openvpn | 2.0_beta8 |
| openvpn | openvpn | 2.0_beta17 |
| openvpn | openvpn | 2.0_beta12 |
| openvpn | openvpn | 2.0_rc11 |
| openvpn | openvpn | 2.0_rc2 |
| openvpn | openvpn | 2.0_rc13 |
OpenVPN 2.0 through 2.0.5 allows remote malicious servers to execute arbitrary code on the client by using setenv with the LD_PRELOAD environment variable.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn_access_server | 2.0.2 |
| openvpn | openvpn | 2.0.4 |
| openvpn | openvpn_access_server | 2.0.3 |
| openvpn | openvpn_access_server | 2.0.5 |
| openvpn | openvpn_access_server | 2.0.1 |
| openvpn | openvpn | 2.0 |
OpenVPN 2.0.7 and earlier, when configured to use the --management option with an IP that is not 127.0.0.1, uses a cleartext password for TCP sessions to the management interface, which might allow remote attackers to view sensitive information or cause a denial of service.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | 2.0_rc17 |
| openvpn | openvpn | 2.0.2_rc1 |
| openvpn | openvpn | 2.0_rc14 |
| openvpn | openvpn | 2.0_test3 |
| openvpn | openvpn | 2.0_test25 |
| openvpn | openvpn | 2.0_test22 |
| openvpn | openvpn | 2.0_test2 |
| openvpn | openvpn | 2.0_rc16 |
| openvpn | openvpn | 2.0_rc20 |
| openvpn | openvpn | 2.0.1_rc7 |
| openvpn | openvpn | 2.0_test16 |
| openvpn | openvpn | 2.0_test6 |
| openvpn | openvpn | 2.0_beta9 |
| openvpn | openvpn | 2.0_rc7 |
| openvpn | openvpn | 2.0_rc1 |
| openvpn | openvpn | 2.0.1_rc2 |
| openvpn | openvpn | 2.0_test4 |
| openvpn | openvpn | 2.0_test27 |
| openvpn | openvpn | 2.0 |
| openvpn | openvpn | 2.0_test1 |
| openvpn | openvpn | 2.0.1_rc5 |
| openvpn | openvpn | 2.0_rc9 |
| openvpn | openvpn | 2.0_test8 |
| openvpn | openvpn | 2.0_test14 |
| openvpn | openvpn | 2.0.4 |
| openvpn | openvpn | 2.0_test12 |
| openvpn | openvpn | 2.0_test15 |
| openvpn | openvpn | 2.0_rc3 |
| openvpn | openvpn | 2.0_test21 |
| openvpn | openvpn | 2.0_beta13 |
| openvpn | openvpn | 2.0_test20 |
| openvpn | openvpn | 2.0_rc8 |
| openvpn | openvpn | 2.0_test26 |
| openvpn | openvpn | 2.0_test5 |
| openvpn | openvpn | 2.0_beta3 |
| openvpn | openvpn_access_server | 2.0.2 |
| openvpn | openvpn | 2.0_rc6 |
| openvpn | openvpn | 2.0_test23 |
| openvpn | openvpn | 2.0_beta4 |
| openvpn | openvpn | 2.0_test7 |
| openvpn | openvpn | 2.0.1_rc1 |
| openvpn | openvpn | 2.0_rc15 |
| openvpn | openvpn | 2.0_rc4 |
| openvpn | openvpn | 2.0_test11 |
| openvpn | openvpn | 2.0_beta2 |
| openvpn | openvpn | 2.0_beta11 |
| openvpn | openvpn | 2.0_rc18 |
| openvpn | openvpn | 2.0_beta15 |
| openvpn | openvpn | 2.0_test17 |
| openvpn | openvpn | 2.0_beta18 |
| openvpn | openvpn | 2.0.3_rc1 |
| openvpn | openvpn | 2.0_test10 |
| openvpn | openvpn_access_server | 2.0.7 |
| openvpn | openvpn | 2.0_beta10 |
| openvpn | openvpn | 2.0.1_rc6 |
| openvpn | openvpn | 2.0_rc12 |
| openvpn | openvpn | 2.0_rc21 |
| openvpn | openvpn | 2.0_test9 |
| openvpn | openvpn | 2.0_beta28 |
| openvpn | openvpn | 2.0_test29 |
| openvpn | openvpn | 2.0_beta19 |
| openvpn | openvpn | 2.0_test24 |
| openvpn | openvpn | 2.0_beta6 |
| openvpn | openvpn | 2.0_beta16 |
| openvpn | openvpn | 2.0_beta5 |
| openvpn | openvpn | 2.0.1_rc4 |
| openvpn | openvpn | 2.0_test19 |
| openvpn | openvpn | 2.0_beta7 |
| openvpn | openvpn | 2.0_beta20 |
| openvpn | openvpn | 2.0_rc10 |
| openvpn | openvpn | 2.0_rc19 |
| openvpn | openvpn_access_server | 2.0.1 |
| openvpn | openvpn | 2.0.1_rc3 |
| openvpn | openvpn_access_server | 2.0.6 |
| openvpn | openvpn | 2.0_rc5 |
| openvpn | openvpn | 2.0_test18 |
| openvpn | openvpn | 2.0_beta1 |
| openvpn | openvpn | 2.0_beta8 |
| openvpn | openvpn | 2.0_beta17 |
| openvpn | openvpn | 2.0_beta12 |
| openvpn | openvpn | 2.0_rc11 |
| openvpn | openvpn_access_server | 2.0.5 |
| openvpn | openvpn | 2.0.6_rc1 |
| openvpn | openvpn | 2.0_rc2 |
| openvpn | openvpn | 2.0_rc13 |
The openvpn_decrypt function in crypto.c in OpenVPN 2.3.0 and earlier, when running in UDP mode, allows remote attackers to obtain sensitive information via a timing attack involving an HMAC comparison function that does not run in constant time and a padding oracle attack on the CBC mode cipher.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | 1.3.0 |
| openvpn | openvpn | 1.4.3 |
| openvpn | openvpn | 2.1.0 |
| openvpn | openvpn | 1.3.1 |
| openvpn | openvpn | 1.4.0 |
| openvpn | openvpn | 2.2.0 |
| opensuse | opensuse | 11.4 |
| openvpn | openvpn | 1.2.0 |
| openvpn | openvpn | 1.2.1 |
| openvpn | openvpn | 1.5.0 |
| openvpn | openvpn | 1.3.2 |
| openvpn | openvpn | 1.6.0 |
| openvpn | openvpn | * |
| openvpn | openvpn | 1.4.2 |
| openvpn | openvpn | 1.4.1 |
| openvpn | openvpn_access_server | 2.0.0 |
Cross-site request forgery (CSRF) vulnerability in the Admin web interface in OpenVPN Access Server before 1.8.5 allows remote attackers to hijack the authentication of administrators for requests that create administrative users.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-352,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn_access_server | * |
Unquoted Windows search path vulnerability in the ptservice service prior to PrivateTunnel version 3.0 (Windows) and OpenVPN Connect version 3.1 (Windows) allows local users to gain privileges via a crafted program.exe file in the %SYSTEMDRIVE% folder.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-428,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | 2.1.28.0 |
| privatetunnel | privatetunnel | 2.3.8 |
OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before 2.3.6 allows remote authenticated users to cause a denial of service (server crash) via a small control channel packet.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | 2.0_rc17 |
| openvpn | openvpn | 2.0_rc14 |
| openvpn | openvpn | 2.1.0 |
| openvpn | openvpn | 2.1.2 |
| openvpn | openvpn_access_server | 2.0.8 |
| openvpn | openvpn | 2.1.4 |
| openvpn | openvpn | 2.0_rc1 |
| openvpn | openvpn | 2.0.1_rc2 |
| openvpn | openvpn | 2.0_test27 |
| openvpn | openvpn | 2.0.9 |
| openvpn | openvpn | 2.3.4 |
| openvpn | openvpn | 2.0_test12 |
| openvpn | openvpn | 2.0_test20 |
| openvpn | openvpn | 2.0_test26 |
| openvpn | openvpn_access_server | 2.0.2 |
| openvpn | openvpn_access_server | 2.0.3 |
| openvpn | openvpn | 2.0_rc6 |
| openvpn | openvpn | 2.0_test23 |
| openvpn | openvpn | 2.0_test7 |
| openvpn | openvpn_access_server | 2.0.0 |
| openvpn | openvpn | 2.0_rc15 |
| openvpn | openvpn | 2.0_test11 |
| openvpn | openvpn | 2.3.1 |
| opensuse | opensuse | 13.2 |
| openvpn | openvpn | 2.0_test17 |
| openvpn | openvpn_access_server | 2.0.7 |
| debian | debian_linux | 8.0 |
| openvpn | openvpn | 2.2.2 |
| openvpn | openvpn | 2.0_rc12 |
| openvpn | openvpn | 2.0_rc21 |
| openvpn | openvpn | 2.0_test29 |
| opensuse | opensuse | 13.1 |
| openvpn | openvpn | 2.0_rc10 |
| openvpn | openvpn | 2.0_rc19 |
| openvpn | openvpn | 2.0_test28 |
| openvpn | openvpn_access_server | 2.0.1 |
| openvpn | openvpn | 2.2.0 |
| openvpn | openvpn_access_server | 2.0.6 |
| openvpn | openvpn | 2.3.3 |
| openvpn | openvpn | 2.1 |
| openvpn | openvpn | 2.0_test18 |
| openvpn | openvpn | 2.1.3 |
| openvpn | openvpn | 2.0_rc11 |
| openvpn | openvpn_access_server | 2.0.5 |
| openvpn | openvpn | 2.0_rc2 |
| openvpn | openvpn | 2.0_rc13 |
| openvpn | openvpn | 2.0.2_rc1 |
| openvpn | openvpn | 2.0_test3 |
| openvpn | openvpn | 2.0_test25 |
| openvpn | openvpn | 2.0_test22 |
| openvpn | openvpn | 2.0_test2 |
| openvpn | openvpn | 2.3 |
| openvpn | openvpn | 2.0_rc16 |
| openvpn | openvpn | 2.0_rc20 |
| openvpn | openvpn | 2.0.1_rc7 |
| openvpn | openvpn | 2.0_test16 |
| openvpn | openvpn | 2.0_test6 |
| openvpn | openvpn | 2.0_rc7 |
| openvpn | openvpn | 2.1.1 |
| openvpn | openvpn | 2.3.2 |
| openvpn | openvpn | 2.0_test4 |
| openvpn | openvpn | 2.0_test1 |
| openvpn | openvpn | 2.0.1_rc5 |
| openvpn | openvpn | 2.0_rc9 |
| openvpn | openvpn | 2.0_test8 |
| openvpn | openvpn | 2.2.1 |
| openvpn | openvpn | 2.3.5 |
| openvpn | openvpn | 2.0_test14 |
| openvpn | openvpn | 2.0.4 |
| openvpn | openvpn | 2.0_test15 |
| openvpn | openvpn | 2.0_rc3 |
| openvpn | openvpn | 2.0_test21 |
| openvpn | openvpn | 2.0_rc8 |
| mageia | mageia | 4.0 |
| openvpn | openvpn | 2.0_test5 |
| openvpn | openvpn | 2.0.1_rc1 |
| canonical | ubuntu_linux | 12.04 |
| debian | debian_linux | 7.0 |
| openvpn | openvpn | 2.0_rc4 |
| openvpn | openvpn | 2.0_rc18 |
| openvpn | openvpn_access_server | 2.0.10 |
| openvpn | openvpn | 2.0.3_rc1 |
| openvpn | openvpn | 2.0_test10 |
| openvpn | openvpn | 2.0.1_rc6 |
| openvpn | openvpn | 2.0_test9 |
| openvpn | openvpn | 2.0_test24 |
| opensuse | opensuse | 12.3 |
| openvpn | openvpn | 2.0.1_rc4 |
| openvpn | openvpn | 2.0_test19 |
| openvpn | openvpn | 2.2 |
| openvpn | openvpn | 2.0.1_rc3 |
| openvpn | openvpn | 2.0_rc5 |
| canonical | ubuntu_linux | 14.10 |
| canonical | ubuntu_linux | 14.04 |
| openvpn | openvpn | 2.3.0 |
| openvpn | openvpn | 2.0.6_rc1 |
Multiple cross-site request forgery (CSRF) vulnerabilities in the XML-RPC API in the Desktop Client in OpenVPN Access Server 1.5.6 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) disconnecting established VPN sessions, (2) connect to arbitrary VPN servers, or (3) create VPN profiles and execute arbitrary commands via crafted API requests.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-352,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn_access_server | * |
OpenVPN, when using a 64-bit block cipher, makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTP-over-OpenVPN session using Blowfish in CBC mode, aka a "Sweet32" attack.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,CWE-310,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | * |
OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to a buffer overflow vulnerability when key-method 1 is used, possibly resulting in code execution.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| openvpn | openvpn | * |
CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via "%0A" characters in the PATH_INFO to __session_start__/.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-93,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn_access_server | 2.1.4 |
OpenVPN version 2.3.12 and newer is vulnerable to unauthenticated Denial of Service of server via received large control packet. Note that this issue is fixed in 2.3.15 and 2.4.2.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-617,CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | 2.3.12 |
| openvpn | openvpn | 2.3.13 |
| openvpn | openvpn | 2.4.0 |
| openvpn | openvpn | 2.4.1 |
| openvpn | openvpn | 2.3.14 |
OpenVPN versions before 2.3.15 and before 2.4.2 are vulnerable to reachable assertion when packet-ID counter rolls over resulting into Denial of Service of server by authenticated attacker.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-617,CWE-617,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | 2.4.0 |
| openvpn | openvpn | 2.4.1 |
| openvpn | openvpn | * |
OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service when receiving malformed IPv6 packet.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-617,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | 2.4.2 |
| openvpn | openvpn | 2.4.0 |
| openvpn | openvpn | 2.4.1 |
| openvpn | openvpn | * |
OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service and/or possibly sensitive memory leak triggered by man-in-the-middle attacker.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | 2.4.2 |
| openvpn | openvpn | 2.4.0 |
| openvpn | openvpn | 2.4.1 |
| openvpn | openvpn | * |
OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service due to memory exhaustion caused by memory leaks and double-free issue in extract_x509_extension().
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-400,CWE-415,CWE-772,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | 2.4.2 |
| openvpn | openvpn | 2.4.0 |
| openvpn | openvpn | 2.4.1 |
| openvpn | openvpn | * |
OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service by authenticated remote attacker via sending a certificate with an embedded NULL character.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | 2.4.2 |
| openvpn | openvpn | 2.4.0 |
| openvpn | openvpn | 2.4.1 |
| openvpn | openvpn | * |
A cross-protocol scripting issue was discovered in the management interface in OpenVPN through 2.4.5. When this interface is enabled over TCP without a password, and when no other clients are connected to this interface, attackers can execute arbitrary management commands, obtain sensitive information, or cause a denial of service (SIGTERM) by triggering XMLHttpRequest actions in a web browser. This is demonstrated by a multipart/form-data POST to http://localhost:23000 with a "signal SIGTERM" command in a TEXTAREA element. NOTE: The vendor disputes that this is a vulnerability. They state that this is the result of improper configuration of the OpenVPN instance rather than an intrinsic vulnerability, and now more explicitly warn against such configurations in both the management-interface documentation, and with a runtime warning
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-134,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | * |
openvpnserv.exe (aka the interactive service helper) in OpenVPN 2.4.x before 2.4.6 allows a local attacker to cause a double-free of memory by sending a malformed request to the interactive service. This could cause a denial-of-service through memory corruption or possibly have unspecified other impact including privilege escalation.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-415,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| slackware | slackware_linux | 14.0 |
| slackware | slackware_linux | 13.1 |
| slackware | slackware_linux | 13.0 |
| openvpn | openvpn | * |
| slackware | slackware_linux | 13.37 |
| slackware | slackware_linux | 14.1 |
An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8.x before 2.8.3. With the full featured RPC2 interface enabled, it is possible to achieve a temporary DoS state of the management interface when sending an XML Entity Expansion (XEE) payload to the XMLRPC based RPC2 interface. The duration of the DoS state depends on available memory and CPU speed. The default restricted mode of the RPC2 interface is NOT vulnerable.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-776,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn_access_server | * |
An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can inject a data channel v2 (P_DATA_V2) packet using a victim's peer-id. Normally such packets are dropped, but if this packet arrives before the data channel crypto parameters have been initialized, the victim's connection will be dropped. This requires careful timing due to the small time window (usually within a few seconds) between the victim client connection starting and the server PUSH_REPLY response back to the client. This attack will only work if Negotiable Cipher Parameters (NCP) is in use.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 3.7 | LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L | 2.2 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 30 |
| fedoraproject | fedora | 32 |
| openvpn | openvpn | * |
OpenVPN Access Server older than version 2.8.4 and version 2.9.5 generates new user authentication tokens instead of reusing exiting tokens on reconnect making it possible to circumvent the initial token expiry timestamp.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-302,CWE-613,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn_access_server | * |
OpenVPN Connect installer for macOS version 3.2.6 and older may corrupt system critical files it should not have access via symlinks in /tmp.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.1 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H | 1.8 | 5.2 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-61,CWE-59,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | connect | * |
Private Tunnel installer for macOS version 3.0.1 and older versions may corrupt system critical files it should not have access via symlinks in /tmp.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-61,CWE-59,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | private_tunnel | * |
OpenVPN Access Server 2.8.7 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.6 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-305,CWE-287,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn_access_server | * |
OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-305,CWE-306,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 18.04 |
| fedoraproject | fedora | 33 |
| canonical | ubuntu_linux | 20.04 |
| canonical | ubuntu_linux | 21.04 |
| fedoraproject | fedora | 32 |
| canonical | ubuntu_linux | 20.10 |
| openvpn | openvpn | * |
| fedoraproject | fedora | 34 |
Control Channel in OpenVPN 2.4.7 and earlier allows remote attackers to cause a denial of service via crafted reset packet.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | * |
OpenVPN Access Server 2.7.3 to 2.8.7 allows remote attackers to trigger an assert during the user authentication phase via incorrect authentication token data in an early phase of the user authentication resulting in a denial of service.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-754,CWE-617,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn_access_server | * |
OpenVPN Access Server 2.8.x before 2.8.1 allows LDAP authentication bypass (except when a user is enrolled in two-factor authentication).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-287,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn_access_server | * |
OpenVPN Connect 3.1.0.361 on Windows has Insecure Permissions for %PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10, which allows local users to gain privileges by copying a malicious drvstore.dll there.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-281,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | connect | * |
OpenVPN 3 Core Library version 3.6 and 3.6.1 allows a man-in-the-middle attacker to bypass the certificate authentication by issuing an unrelated server certificate using the same hostname found in the verify-x509-name option in a client configuration.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N | 2.2 | 5.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-305,CWE-295,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | 3.6.1 |
| openvpn | openvpn | 3.6 |
OpenVPN before version 2.5.3 on Windows allows local users to load arbitrary dynamic loadable libraries via an OpenSSL configuration file if present, which allows the user to run arbitrary code with the same privilege level as the main OpenVPN process (openvpn.exe).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-427,CWE-427,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | * |
OpenVPN Connect 3.2.0 through 3.3.0 allows local users to load arbitrary dynamic loadable libraries via an OpenSSL configuration file if present, which allows the user to run arbitrary code with the same privilege level as the main OpenVPN process (OpenVPNConnect.exe).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-427,CWE-427,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | connect | * |
OpenVPN Access Server 2.9.0 through 2.9.4 allow remote attackers to inject arbitrary web script or HTML via the web login page URL.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-84,CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn_access_server | * |
OpenVPN Access Server 2.10 and prior versions are susceptible to resending multiple packets in a response to a reset packet sent from the client which the client again does not respond to, resulting in a limited amplification attack.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-406,NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn_access_server | * |
OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-305,CWE-287,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| fedoraproject | fedora | 36 |
| openvpn | openvpn | * |
| fedoraproject | fedora | 34 |
The OpenVPN Access Server installer creates a log file readable for everyone, which from version 2.10.0 and before 2.11.0 may contain a random generated admin password
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-708,CWE-532,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn_access_server | * |
OpenVPN Access Server before 2.11 uses a weak random generator used to create user session token for the web portal
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-331,CWE-338,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn_access_server | * |
OpenVPN Connect versions before 3.4.0.4506 (macOS) and OpenVPN Connect before 3.4.0.3100 (Windows) allows man-in-the-middle attackers to intercept configuration profile download requests which contains the users credentials
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N | 2.2 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | connect | * |
Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by zero behaviour which could cause an application crash, leading to a denial of service.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 12.0 |
| fedoraproject | fedora | 39 |
| openvpn | openvpn_access_server | 2.12.0 |
| openvpn | openvpn_access_server | * |
| openvpn | openvpn_access_server | 2.12.1 |
| openvpn | openvpn | * |
Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir, leaking memory buffers or remote execution when sending network buffers to a remote peer.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 12.0 |
| fedoraproject | fedora | 39 |
| openvpn | openvpn_access_server | * |
| openvpn | openvpn | * |
The PKCS#7 parser in OpenVPN 3 Core Library versions through 3.8.3 did not properly validate the parsed data, which would result in the application crashing.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn_3 | * |
OpenVPN Connect version 3.0 through 3.4.6 on macOS allows local users to execute code in external third party libraries using the DYLD_INSERT_LIBRARIES environment variable
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | connect | * |
The OpenVPN GUI installer before version 2.6.9 did not set the proper access control restrictions to the installation directory of OpenVPN binaries when using a non-standard installation path, which allows an attacker to replace binaries to run arbitrary executables.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn_gui | * |
tap-windows6 driver version 9.26 and earlier does not properly check the size data of incomming write operations which an attacker can use to overflow memory buffers, resulting in a bug check and potentially arbitrary code execution in kernel space
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | tap-windows6 | * |
Weak encryption algorithm in Easy-RSA version 3.0.5 through 3.1.7 allows a local attacker to more easily bruteforce the private CA key when created using OpenSSL 3
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 5.3 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L | 1.8 | 3.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | easy-rsa | * |
The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service pipe to be accessed remotely, which allows a remote attacker to interact with the privileged OpenVPN interactive service.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | * |
The interactive service in OpenVPN 2.6.9 and earlier allows an attacker to send data causing a stack overflow which can be used to execute arbitrary code with more privileges.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | * |
OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged OpenVPN interactive service.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | * |
OpenVPN from 2.6.0 through 2.6.10 in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a closing session
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | * |
OpenVPN version 2.4.0 through 2.6.10 on Windows allows an external, lesser privileged process to create a named pipe which the OpenVPN GUI component would connect to allowing it to escalate its privileges
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | * |
OpenVPN ovpn-dco for Windows version 1.1.1 allows an unprivileged local attacker to send I/O control messages with invalid data to the driver resulting in a NULL pointer dereference leading to a system halt.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 3.3 | LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L | 1.8 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | ovpn-dco-win | 1.1.1 |
OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which an attacker controlling the server can use to inject unexpected arbitrary data ending up in client logs.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | 3.9 | 5.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | * |
OpenVPN Connect before version 3.5.0 can contain the configuration profile's clear-text private key which is logged in the application log, which an unauthorized actor can use to decrypt the VPN traffic
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | connect | * |
Insufficient argument validation in OpenVPN 2.7_alpha1 through 2.7_rc1 allows an attacker to trigger a heap buffer over-read when parsing IP addresses
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H | 3.9 | 5.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | 2.6.13 |
| openvpn | openvpn | 2.7 |
Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.6.15 and 2.7_alpha1 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for the originating client
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | 2.7 |
| openvpn | openvpn | * |
Interactive service agent in OpenVPN version 2.5.0 through 2.6.16 and 2.7_alpha1 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | 2.7 |
| openvpn | openvpn | * |
OpenVPN version 2.6.1 through 2.6.13 in server mode using TLS-crypt-v2 allows remote attackers to trigger a denial of service by corrupting and replaying network packets in the early handshake phase
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | * |
The configuration initialization tool in OpenVPN 3 Linux v20 through v24 on Linux allows a local attacker to use symlinks pointing at an arbitrary directory which will change the ownership and permissions of that destination directory.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 6.2 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 2.5 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn3linux | * |
Buffer overflow in OpenVPN ovpn-dco-win version 1.3.0 and earlier and version 2.5.8 and earlier allows a local user process to send a too large control message buffer to the kernel driver resulting in a system crash
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openvpn | ovpn-dco-win | * |