CVE-2005-2531Openvpn vulnerability

4 documents4 sources
Severity
5.0MEDIUMNVD
EPSS
1.4%
top 19.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
OpenvpnDebian Openvpn
Timeline
PublishedAug 24
Latest updateMay 1

Description

OpenVPN before 2.0.1, when running with "verb 0" and without TLS authentication, does not properly flush the OpenSSL error queue when a client fails certificate authentication to the server and causes the error to be processed by the wrong client, which allows remote attackers to cause a denial of service (client disconnection) via a large number of failed authentication attempts.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

debiandebian/openvpn< openvpn 2.0.2-1 (bookworm)
Debianopenvpn/openvpn< 2.0.2-1+3
NVDopenvpn/openvpn74 versions+73

Patches

Patch: www.mandriva.comPatch: www.mandriva.com

🔴Vulnerability Details

2
GHSA
GHSA-h572-qc5h-fc64: OpenVPN before 22022-05-01
OSV
CVE-2005-2531: OpenVPN before 22005-08-24

📋Vendor Advisories

1
Debian
CVE-2005-2531: openvpn - OpenVPN before 2.0.1, when running with "verb 0" and without TLS authentication,...2005
CVE-2005-2531 — Debian Openvpn vulnerability | cvebase