CVE-2020-15074Authentication Bypass by Assumed-Immutable Data in Access Server

CWE-302Authentication Bypass by Assumed-Immutable DataCWE-613Insufficient Session Expiration3 documents3 sources
Severity
7.5HIGHNVD
EPSS
0.2%
top 59.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Openvpn Access Server
Timeline
PublishedJul 14
Latest updateMay 24

Description

OpenVPN Access Server older than version 2.8.4 and version 2.9.5 generates new user authentication tokens instead of reusing exiting tokens on reconnect making it possible to circumvent the initial token expiry timestamp.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDopenvpn/openvpn_access_server2.9.02.9.6+1
CVEListV5openvpn/openvpn_access_server2.8.3 and prior versions in addition to 2.9.5

🔴Vulnerability Details

1
GHSA
GHSA-3wxw-5w97-2cvf: OpenVPN Access Server older than version 22022-05-24

💬Community

1
Bugzilla
CVE-2020-15074 openvpn: new user authentication tokens instead of reusing exiting tokens circumvent the initial token expiry timestamp2020-07-17
CVE-2020-15074 — Openvpn Access Server vulnerability | cvebase