rpm package
suse/openvpn-openssl1&distro=SUSE Linux Enterprise Server 11-SECURITY
pkg:rpm/suse/openvpn-openssl1&distro=SUSE%20Linux%20Enterprise%20Server%2011-SECURITY
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-0547 | — | < 2.3.2-0.10.12.1 | 2.3.2-0.10.12.1 | Mar 18, 2022 | OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials. | ||
| CVE-2020-15078 | — | < 2.3.2-0.10.9.1 | 2.3.2-0.10.9.1 | Apr 26, 2021 | OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks. | ||
| CVE-2018-7544 | — | < 2.3.2-0.10.9.1 | 2.3.2-0.10.9.1 | Mar 16, 2018 | A cross-protocol scripting issue was discovered in the management interface in OpenVPN through 2.4.5. When this interface is enabled over TCP without a password, and when no other clients are connected to this interface, attackers can execute arbitrary management commands, obtain | ||
| CVE-2017-12166 | Cri | 9.8 | < 2.3.2-0.10.3.1 | 2.3.2-0.10.3.1 | Oct 4, 2017 | OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to a buffer overflow vulnerability when key-method 1 is used, possibly resulting in code execution. | |
| CVE-2017-7521 | Med | 5.9 | < 2.3.2-0.9.1 | 2.3.2-0.9.1 | Jun 27, 2017 | OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service due to memory exhaustion caused by memory leaks and double-free issue in extract_x509_extension(). | |
| CVE-2017-7520 | Hig | 7.4 | < 2.3.2-0.9.1 | 2.3.2-0.9.1 | Jun 27, 2017 | OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service and/or possibly sensitive memory leak triggered by man-in-the-middle attacker. | |
| CVE-2017-7508 | Hig | 7.5 | < 2.3.2-0.9.1 | 2.3.2-0.9.1 | Jun 27, 2017 | OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service when receiving malformed IPv6 packet. | |
| CVE-2017-7479 | Med | 6.5 | < 2.3.2-0.9.1 | 2.3.2-0.9.1 | May 15, 2017 | OpenVPN versions before 2.3.15 and before 2.4.2 are vulnerable to reachable assertion when packet-ID counter rolls over resulting into Denial of Service of server by authenticated attacker. | |
| CVE-2017-7478 | Hig | 7.5 | < 2.3.2-0.9.1 | 2.3.2-0.9.1 | May 15, 2017 | OpenVPN version 2.3.12 and newer is vulnerable to unauthenticated Denial of Service of server via received large control packet. Note that this issue is fixed in 2.3.15 and 2.4.2. |
- CVE-2022-0547Mar 18, 2022affected < 2.3.2-0.10.12.1fixed 2.3.2-0.10.12.1
OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.
- CVE-2020-15078Apr 26, 2021affected < 2.3.2-0.10.9.1fixed 2.3.2-0.10.9.1
OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.
- CVE-2018-7544Mar 16, 2018affected < 2.3.2-0.10.9.1fixed 2.3.2-0.10.9.1
A cross-protocol scripting issue was discovered in the management interface in OpenVPN through 2.4.5. When this interface is enabled over TCP without a password, and when no other clients are connected to this interface, attackers can execute arbitrary management commands, obtain
- affected < 2.3.2-0.10.3.1fixed 2.3.2-0.10.3.1
OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to a buffer overflow vulnerability when key-method 1 is used, possibly resulting in code execution.
- affected < 2.3.2-0.9.1fixed 2.3.2-0.9.1
OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service due to memory exhaustion caused by memory leaks and double-free issue in extract_x509_extension().
- affected < 2.3.2-0.9.1fixed 2.3.2-0.9.1
OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service and/or possibly sensitive memory leak triggered by man-in-the-middle attacker.
- affected < 2.3.2-0.9.1fixed 2.3.2-0.9.1
OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service when receiving malformed IPv6 packet.
- affected < 2.3.2-0.9.1fixed 2.3.2-0.9.1
OpenVPN versions before 2.3.15 and before 2.4.2 are vulnerable to reachable assertion when packet-ID counter rolls over resulting into Denial of Service of server by authenticated attacker.
- affected < 2.3.2-0.9.1fixed 2.3.2-0.9.1
OpenVPN version 2.3.12 and newer is vulnerable to unauthenticated Denial of Service of server via received large control packet. Note that this issue is fixed in 2.3.15 and 2.4.2.