CVE-2010-3902 — Sensitive Information Exposure in Openconnect

CWE-200 — Sensitive Information Exposure6 documents6 sources

Severity

5.0MEDIUMNVD

EPSS

0.6%

top 31.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Infradead Openconnect

Timeline

PublishedOct 14

Latest updateMay 17

Description

OpenConnect before 2.26 places the webvpn cookie value in the debugging output, which might allow remote attackers to obtain sensitive information by reading this output, as demonstrated by output posted to the public openconnect-devel mailing list.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶Debianinfradead/openconnect< 3.02-1+3

▶NVDinfradead/openconnect2.25+5

🔴Vulnerability Details

GHSA

GHSA-mvq9-gwc4-9r68: OpenConnect before 2↗2022-05-17

▶

OSV

CVE-2010-3902: OpenConnect before 2↗2010-10-14

▶

CVEList

CVE-2010-3902: OpenConnect before 2↗2010-10-12

▶

📋Vendor Advisories

Debian

CVE-2010-3902: openconnect - OpenConnect before 2.26 places the webvpn cookie value in the debugging output, ...↗2010

▶

💬Community

Bugzilla

CVE-2010-3902 OpenConnect: webvpn cookie content disclosure via debugging output↗2010-10-15

▶