CVE-2020-15078Authentication Bypass by Primary Weakness in Openvpn

CWE-305Authentication Bypass by Primary WeaknessCWE-306Missing Authentication for Critical FunctionCWE-287Improper Authentication7 documents6 sources
Severity
7.5HIGHNVD
EPSS
0.3%
top 43.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
OpenvpnCanonical Ubuntu LinuxDebian Linux+1 more
Timeline
PublishedApr 26
Latest updateMay 24

Description

OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDopenvpn/openvpn2.5.02.5.2+1
Debianopenvpn/openvpn< 2.5.1-2+3
CVEListV5openvpn/openvpn2.5.1 and earlier versions

Also affects: Debian Linux 9.0, Fedora 32, 33, 34, Ubuntu Linux 18.04, 20.04, 20.10, 21.04

Patches

Patch: community.openvpn.netPatch: community.openvpn.net

🔴Vulnerability Details

4
GHSA
GHSA-r2jp-995w-h282: OpenVPN 22022-05-24
OSV
openvpn vulnerabilities2021-05-04
CVEList
CVE-2020-15078: OpenVPN 22021-04-26
OSV
CVE-2020-15078: OpenVPN 22021-04-26

📋Vendor Advisories

2
Ubuntu
OpenVPN vulnerabilities2021-05-04
Debian
CVE-2020-15078: openvpn - OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentic...2020
CVE-2020-15078 — Openvpn vulnerability | cvebase