Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2017-7478 — Reachable Assertion in Openvpn

CWE-617 — Reachable Assertion CWE-20 — Improper Input Validation9 documents7 sources

Severity

7.5HIGHNVD

EPSS

4.6%

top 10.74%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Openvpn Debian Openvpn Openvpn Technologies INC Openvpn

Timeline

PublishedMay 15

Latest updateMay 17

Description

OpenVPN version 2.3.12 and newer is vulnerable to unauthenticated Denial of Service of server via received large control packet. Note that this issue is fixed in 2.3.15 and 2.4.2.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/openvpn< openvpn 2.4.0-5 (bookworm)

▶Debianopenvpn/openvpn< 2.4.0-5+3

▶NVDopenvpn/openvpn5 versions+4

▶CVEListV5openvpn_technologies_inc/openvpn2.3.12 and newer

🔴Vulnerability Details

GHSA

GHSA-3wwj-66cm-595v: OpenVPN version 2↗2022-05-17

▶

OSV

CVE-2017-7478: OpenVPN version 2↗2017-05-15

▶

💥Exploits & PoCs

Exploit-DB

OpenVPN 2.4.0 - Denial of Service↗2017-05-11

▶

📋Vendor Advisories

Ubuntu

OpenVPN vulnerabilities↗2017-05-11

▶

Debian

CVE-2017-7478: openvpn - OpenVPN version 2.3.12 and newer is vulnerable to unauthenticated Denial of Serv...↗2017

▶

💬Community

Bugzilla

CVE-2017-7478 openvpn: Unauthenticated DoS via large control packets↗2017-05-15

▶

Bugzilla

CVE-2017-7478 CVE-2017-7479 openvpn: various flaws [fedora-all]↗2017-05-15

▶

Bugzilla

CVE-2017-7478 CVE-2017-7479 openvpn: various flaws [epel-all]↗2017-05-15

▶