CVE-2020-11462XML Entity Expansion in Access Server

CWE-776XML Entity Expansion5 documents3 sources
Severity
7.5HIGHNVD
EPSS
0.4%
top 40.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Openvpn Access Server
Timeline
PublishedMay 4
Latest updateMay 24

Description

An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8.x before 2.8.3. With the full featured RPC2 interface enabled, it is possible to achieve a temporary DoS state of the management interface when sending an XML Entity Expansion (XEE) payload to the XMLRPC based RPC2 interface. The duration of the DoS state depends on available memory and CPU speed. The default restricted mode of the RPC2 interface is NOT vulnerable.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

NVDopenvpn/openvpn_access_server2.8.02.8.3+1

🔴Vulnerability Details

1
GHSA
GHSA-vc6m-jhq8-gmhj: An issue was discovered in OpenVPN Access Server before 22022-05-24

💬Community

3
Bugzilla
CVE-2020-11462 openvpn: temporary DoS state of the management interface when sending an XML Entity Expansion payload to the XMLRPC based RPC2 [epel-all]2020-05-11
Bugzilla
CVE-2020-11462 openvpn: temporary DoS state of the management interface when sending an XML Entity Expansion payload to the XMLRPC based RPC22020-05-11
Bugzilla
CVE-2020-11462 openvpn: temporary DoS state of the management interface when sending an XML Entity Expansion payload to the XMLRPC based RPC2 [fedora-all]2020-05-11
CVE-2020-11462 — XML Entity Expansion in Access Server | cvebase