Skip to main content

Openvpn CVE-2022-0547

CRITICAL
Authentication Bypass by Primary Weakness (CWE-305)
2022-03-18 security@openvpn.net
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Mar 18, 2022 - 18:15 nvd
CRITICAL 9.8

DescriptionNVD

OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.

AnalysisAI

OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-305. OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials. Affected products include: Openvpn, Fedoraproject Fedora, Debian Debian Linux.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2018-7544 CRITICAL POC
9.1 Mar 16

A cross-protocol scripting issue was discovered in the management interface in OpenVPN through 2.4.5. Rated critical sev

CVE-2017-7478 HIGH POC
7.5 May 15

OpenVPN version 2.3.12 and newer is vulnerable to unauthenticated Denial of Service of server via received large control

CVE-2018-9336 HIGH POC
7.8 May 01

openvpnserv.exe (aka the interactive service helper) in OpenVPN 2.4.x before 2.4.6 allows a local attacker to cause a do

CVE-2023-46850 CRITICAL
9.8 Nov 11

Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir, leaking memory buffers or remote execut

CVE-2019-25429 MEDIUM POC
6.1 Feb 19

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malic

CVE-2019-25428 MEDIUM POC
6.1 Feb 19

Comodo Dome Firewall 2.7.0 contains multiple reflected cross-site scripting vulnerabilities in the openvpn_users endpoin

CVE-2017-12166 CRITICAL
9.8 Oct 04

OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to a buffer overflow vulnerability when key-method 1

CVE-2024-27903 CRITICAL
9.8 Jul 08

OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker

CVE-2020-7224 CRITICAL
9.8 Apr 16

The Aviatrix OpenVPN client through 2.5.7 on Linux, macOS, and Windows is vulnerable when OpenSSL parameters are altered

CVE-2025-12106 CRITICAL
9.1 Dec 01

Insufficient argument validation in OpenVPN 2.7_alpha1 through 2.7_rc1 allows an attacker to trigger a heap buffer over-

CVE-2024-4877 HIGH
8.8 Apr 03

OpenVPN version 2.4.0 through 2.6.10 on Windows allows an external, lesser privileged process to create a named pipe whi

CVE-2024-27459 HIGH
7.8 Jul 08

The interactive service in OpenVPN 2.6.9 and earlier allows an attacker to send data causing a stack overflow which can

Share

CVE-2022-0547 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy