Описание
CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via "%0A" characters in the PATH_INFO to session_start/.
Ссылки
- ExploitMailing ListThird Party Advisory
- Third Party AdvisoryVDB Entry
- ExploitMitigationThird Party Advisory
- ExploitMailing ListThird Party Advisory
- Third Party AdvisoryVDB Entry
- ExploitMitigationThird Party Advisory
Уязвимые конфигурации
Конфигурация 1
cpe:2.3:a:openvpn:openvpn_access_server:2.1.4:*:*:*:*:*:*:*
EPSS
Процентиль: 92%
0.08462
Низкий
6.1 Medium
CVSS3
4.3 Medium
CVSS2
Дефекты
CWE-93
Связанные уязвимости
CVSS3: 6.1
github
больше 3 лет назад
CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via "%0A" characters in the PATH_INFO to __session_start__/.
EPSS
Процентиль: 92%
0.08462
Низкий
6.1 Medium
CVSS3
4.3 Medium
CVSS2
Дефекты
CWE-93