VYPR
Get started
← All advisories
Unrated severityNVD Advisory· Published Nov 18, 2013· Updated Apr 29, 2026

CVE-2013-2061

CVE-2013-2061

Description

The openvpn_decrypt function in crypto.c in OpenVPN 2.3.0 and earlier, when running in UDP mode, allows remote attackers to obtain sensitive information via a timing attack involving an HMAC comparison function that does not run in constant time and a padding oracle attack on the CBC mode cipher.

Affected products

16
  • OpenVPN/OpenVPN14 versions
    cpe:2.3:a:openvpn:openvpn:*:*:*:*:*:*:*:*+ 13 more
    • cpe:2.3:a:openvpn:openvpn:*:*:*:*:*:*:*:*range: <=2.3.0
    • cpe:2.3:a:openvpn:openvpn:1.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:openvpn:openvpn:1.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:openvpn:openvpn:1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:openvpn:openvpn:1.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:openvpn:openvpn:1.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:openvpn:openvpn:1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:openvpn:openvpn:1.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:openvpn:openvpn:1.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:openvpn:openvpn:1.4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:openvpn:openvpn:1.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:openvpn:openvpn:1.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:openvpn:openvpn:2.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:openvpn:openvpn:2.2.0:*:*:*:*:*:*:*
  • OpenVPN/Openvpn Access Server
    cpe:2.3:a:openvpn:openvpn_access_server:2.0.0:*:*:*:*:*:*:*
  • OpenSUSE/openSUSE
    cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:*

Patches

1
11d21349a4e7
https://github.com/OpenVPN/openvpnvia nvd-ref
commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.