CVE-2023-7235Incorrect Default Permissions in GUI

CWE-276Incorrect Default Permissions2 documents2 sources
Severity
8.4HIGHNVD
EPSS
0.0%
top 91.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Openvpn GUIOpenvpn
Timeline
PublishedFeb 21

Description

The OpenVPN GUI installer before version 2.6.9 did not set the proper access control restrictions to the installation directory of OpenVPN binaries when using a non-standard installation path, which allows an attacker to replace binaries to run arbitrary executables.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.5 | Impact: 5.9

Affected Packages2 packages

NVDopenvpn/openvpn_gui< 2.6.9
CVEListV5openvpn/openvpn2.6.8

🔴Vulnerability Details

1
GHSA
GHSA-pq76-qjgj-qv82: The OpenVPN GUI installer before version 22024-02-21