Medium severity6.1NVD Advisory· Published May 26, 2017· Updated May 13, 2026

CVE-2017-5868

Description

CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via "%0A" characters in the PATH_INFO to __session_start__/.

Affected products

OpenVPN/Openvpn Access Server
cpe:2.3:a:openvpn:openvpn_access_server:2.1.4:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2017/05/23/13nvdExploitMailing ListThird Party Advisory
sysdream.com/news/lab/2017-05-05-cve-2017-5868-openvpn-access-server-crlf-injection-with-session-fixation/nvdExploitMitigationThird Party Advisory
www.securitytracker.com/id/1038547nvdThird Party AdvisoryVDB Entry

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.007
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000