CVE-2022-24299 — Improper Input Validation in Pfsense

CWE-20 — Improper Input Validation3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.3%

top 49.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Netgate Pfsense Netgate Pfsense Plus Pfsense CE AND Pfsense Plus

Timeline

PublishedMar 31

Latest updateApr 1

Description

Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change OpenVPN client or server settings to execute an arbitrary command.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDnetgate/pfsense_plus< 22.01

▶CVEListV5pfsense/pfsense_ce_and_pfsense_pluspfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01

▶NVDnetgate/pfsense< 2.6.0

Patches

Patch: docs.netgate.com ↗Patch: jvn.jp ↗Patch: docs.netgate.com ↗

🔴Vulnerability Details

GHSA

GHSA-36p3-j543-mpj6: Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2↗2022-04-01

▶

CVEList

CVE-2022-24299: Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2↗2022-03-31

▶