Skip to main content

Openvpn Access Server

13 CVEs product

Monthly

CVE-2023-46850 CRITICAL Act Now

Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir, leaking memory buffers or remote execution when sending network buffers to a remote peer. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Denial Of Service Use After Free Openvpn Openvpn Access Server +2
NVD VulDB
CVSS 3.1
9.8
EPSS
2.0%
CVE-2023-46849 HIGH This Week

Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by zero behaviour which could cause an application crash, leading to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Openvpn Openvpn Access Server Debian Linux Fedora
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2022-33738 HIGH This Week

OpenVPN Access Server before 2.11 uses a weak random generator used to create user session token for the web portal. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Openvpn Access Server
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2022-33737 HIGH This Week

The OpenVPN Access Server installer creates a log file readable for everyone, which from version 2.10.0 and before 2.11.0 may contain a random generated admin password. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Openvpn Access Server
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2021-3824 MEDIUM This Month

OpenVPN Access Server 2.9.0 through 2.9.4 allow remote attackers to inject arbitrary web script or HTML via the web login page URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Openvpn Access Server
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2020-15074 HIGH This Week

OpenVPN Access Server older than version 2.8.4 and version 2.9.5 generates new user authentication tokens instead of reusing exiting tokens on reconnect making it possible to circumvent the initial. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Openvpn Access Server
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2020-11462 HIGH This Week

An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8.x before 2.8.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Openvpn Access Server
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2020-8953 CRITICAL Act Now

OpenVPN Access Server 2.8.x before 2.8.1 allows LDAP authentication bypass (except when a user is enrolled in two-factor authentication). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Openvpn Access Server
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2017-5868 MEDIUM POC This Month

CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Openvpn Access Server
NVD
CVSS 3.0
6.1
EPSS
8.5%
CVE-2014-8104 MEDIUM This Month

OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before 2.3.6 allows remote authenticated users to cause a denial of service (server crash) via a small control channel packet. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Mageia Debian Linux Opensuse Openvpn +2
NVD
CVSS 2.0
6.8
EPSS
2.1%
CVE-2014-9104 MEDIUM POC This Month

Multiple cross-site request forgery (CSRF) vulnerabilities in the XML-RPC API in the Desktop Client in OpenVPN Access Server 1.5.6 and earlier allow remote attackers to hijack the authentication of. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

CSRF Openvpn Access Server
NVD
CVSS 2.0
6.8
EPSS
0.2%
CVE-2013-2692 MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability in the Admin web interface in OpenVPN Access Server before 1.8.5 allows remote attackers to hijack the authentication of administrators for requests. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

CSRF Openvpn Access Server
NVD
CVSS 2.0
6.8
EPSS
0.2%
CVE-2013-2061 LOW POC PATCH Monitor

The openvpn_decrypt function in crypto.c in OpenVPN 2.3.0 and earlier, when running in UDP mode, allows remote attackers to obtain sensitive information via a timing attack involving an HMAC. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. Public exploit code available.

Information Disclosure Oracle Openvpn Openvpn Access Server Opensuse
NVD GitHub
CVSS 2.0
2.6
EPSS
1.5%
EPSS 2% CVSS 9.8
CRITICAL Act Now

Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir, leaking memory buffers or remote execution when sending network buffers to a remote peer. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Denial Of Service Use After Free +4
NVD VulDB
EPSS 1% CVSS 7.5
HIGH This Week

Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by zero behaviour which could cause an application crash, leading to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Openvpn Openvpn Access Server +2
NVD
EPSS 1% CVSS 7.5
HIGH This Week

OpenVPN Access Server before 2.11 uses a weak random generator used to create user session token for the web portal. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Openvpn Access Server
NVD
EPSS 1% CVSS 7.5
HIGH This Week

The OpenVPN Access Server installer creates a log file readable for everyone, which from version 2.10.0 and before 2.11.0 may contain a random generated admin password. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Openvpn Access Server
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

OpenVPN Access Server 2.9.0 through 2.9.4 allow remote attackers to inject arbitrary web script or HTML via the web login page URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Openvpn Access Server
NVD
EPSS 1% CVSS 7.5
HIGH This Week

OpenVPN Access Server older than version 2.8.4 and version 2.9.5 generates new user authentication tokens instead of reusing exiting tokens on reconnect making it possible to circumvent the initial. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Openvpn Access Server
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8.x before 2.8.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Openvpn Access Server
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

OpenVPN Access Server 2.8.x before 2.8.1 allows LDAP authentication bypass (except when a user is enrolled in two-factor authentication). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Openvpn Access Server
NVD
EPSS 8% CVSS 6.1
MEDIUM POC This Month

CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Openvpn Access Server
NVD
EPSS 2% CVSS 6.8
MEDIUM This Month

OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before 2.3.6 allows remote authenticated users to cause a denial of service (server crash) via a small control channel packet. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Mageia Debian Linux +4
NVD
EPSS 0% CVSS 6.8
MEDIUM POC This Month

Multiple cross-site request forgery (CSRF) vulnerabilities in the XML-RPC API in the Desktop Client in OpenVPN Access Server 1.5.6 and earlier allow remote attackers to hijack the authentication of. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

CSRF Openvpn Access Server
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability in the Admin web interface in OpenVPN Access Server before 1.8.5 allows remote attackers to hijack the authentication of administrators for requests. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

CSRF Openvpn Access Server
NVD
EPSS 1% CVSS 2.6
LOW POC PATCH Monitor

The openvpn_decrypt function in crypto.c in OpenVPN 2.3.0 and earlier, when running in UDP mode, allows remote attackers to obtain sensitive information via a timing attack involving an HMAC. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. Public exploit code available.

Information Disclosure Oracle Openvpn +2
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy