Openvpn Openvpn Access Server — known CVE vulnerabilities
Every CVE whose affected-product data names Openvpn Openvpn Access Server, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (20)
CVE-2020-8953 — CVSS 9.8 (critical): OpenVPN Access Server 2.8.x before 2.8.1 allows LDAP authentication bypass (except when a user is enrolled in two-factor authentication).
CVE-2023-46850 — CVSS 9.8 (critical): Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir, leaking memory buffers or remote execution when sending…
CVE-2006-1629 — CVSS 9.0 (critical): OpenVPN 2.0 through 2.0.5 allows remote malicious servers to execute arbitrary code on the client by using setenv with the LD_PRELOAD…
CVE-2020-15074 — CVSS 7.5 (high): OpenVPN Access Server older than version 2.8.4 and version 2.9.5 generates new user authentication tokens instead of reusing exiting tokens…
CVE-2020-11462 — CVSS 7.5 (high): An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8.x before 2.8.3. With the full featured RPC2 interface enabled, it is…
CVE-2005-3393 — CVSS 7.5 (high): Format string vulnerability in the foreign_option function in options.c for OpenVPN 2.0.x allows remote clients to execute arbitrary code…
CVE-2020-36382 — CVSS 7.5 (high): OpenVPN Access Server 2.7.3 to 2.8.7 allows remote attackers to trigger an assert during the user authentication phase via incorrect…
CVE-2021-4234 — CVSS 7.5 (high): OpenVPN Access Server 2.10 and prior versions are susceptible to resending multiple packets in a response to a reset packet sent from the…
CVE-2022-33737 — CVSS 7.5 (high): The OpenVPN Access Server installer creates a log file readable for everyone, which from version 2.10.0 and before 2.11.0 may contain a…
CVE-2022-33738 — CVSS 7.5 (high): OpenVPN Access Server before 2.11 uses a weak random generator used to create user session token for the web portal
CVE-2023-46849 — CVSS 7.5 (high): Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by zero…
CVE-2013-2692 — CVSS 6.8 (medium): Cross-site request forgery (CSRF) vulnerability in the Admin web interface in OpenVPN Access Server before 1.8.5 allows remote attackers to…
CVE-2014-9104 — CVSS 6.8 (medium): Multiple cross-site request forgery (CSRF) vulnerabilities in the XML-RPC API in the Desktop Client in OpenVPN Access Server 1.5.6 and…
CVE-2014-8104 — CVSS 6.8 (medium): OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before 2.3.6 allows remote authenticated users to cause a denial of service…
CVE-2021-3824 — CVSS 6.1 (medium): OpenVPN Access Server 2.9.0 through 2.9.4 allow remote attackers to inject arbitrary web script or HTML via the web login page URL.
CVE-2017-5868 — CVSS 6.1 (medium): CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers…
CVE-2020-15077 — CVSS 5.3 (medium): OpenVPN Access Server 2.8.7 and earlier versions allows a remote attackers to bypass authentication and access control channel data on…
CVE-2005-3409 — CVSS 5.0 (medium): OpenVPN 2.x before 2.0.4, when running in TCP mode, allows remote attackers to cause a denial of service (segmentation fault) by forcing…
CVE-2006-2229 — CVSS 4.0 (medium): OpenVPN 2.0.7 and earlier, when configured to use the --management option with an IP that is not 127.0.0.1, uses a cleartext password for…
CVE-2013-2061 — CVSS 2.6 (low): The openvpn_decrypt function in crypto.c in OpenVPN 2.3.0 and earlier, when running in UDP mode, allows remote attackers to obtain…