CVE-2017-7522 — Improper Input Validation in Openvpn

CWE-20 — Improper Input Validation CWE-476 — NULL Pointer Dereference9 documents7 sources

Severity

6.5MEDIUMNVD

EPSS

0.5%

top 33.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openvpn Debian Openvpn Openvpn Technologies INC Openvpn

Timeline

PublishedJun 27

Latest updateMay 17

Description

OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service by authenticated remote attacker via sending a certificate with an embedded NULL character.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/openvpn< openvpn 2.4.3-1 (bookworm)

▶Debianopenvpn/openvpn< 2.4.3-1+3

▶NVDopenvpn/openvpn2.3.16+3

▶CVEListV5openvpn_technologies_inc/openvpnbefore 2.3.17, before 2.4.3+1

🔴Vulnerability Details

GHSA

GHSA-c6pr-p5hf-w49p: OpenVPN versions before 2↗2022-05-17

▶

OSV

CVE-2017-7522: OpenVPN versions before 2↗2017-06-27

▶

📋Vendor Advisories

Red Hat

openvpn: Multiple security issues fixed in OpenVPN 2.4.3 and 2.3.17↗2017-06-21

▶

Debian

CVE-2017-7522: openvpn - OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-serv...↗2017

▶

💬Community

HackerOne

4 severe remote + several minor OpenVPN vulnerabilities↗2019-10-14

▶

Bugzilla

CVE-2017-7508 CVE-2017-7520 CVE-2017-7521 CVE-2017-7522 openvpn: Multiple security issues fixed in OpenVPN 2.4.3 and 2.3.17↗2017-06-21

▶

Bugzilla

CVE-2017-7508 CVE-2017-7520 CVE-2017-7521 CVE-2017-7522 openvpn: Multiple security issues fixed in OpenVPN 2.4.3 and 2.3.17 [epel-all]↗2017-06-21

▶

Bugzilla

CVE-2017-7508 CVE-2017-7520 CVE-2017-7521 CVE-2017-7522 openvpn: Multiple security issues fixed in OpenVPN 2.4.3 and 2.3.17 [fedora-all]↗2017-06-21

▶