OpenVPN — свободная реализация технологии виртуальной частной сети (VPN) с открытым исходным кодом для создания зашифрованных каналoв типа точка-точка или сервер-клиенты между компьютерами.
Релизный цикл, информация об уязвимостях
График релизов
Количество 203
CVE-2020-15078
OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.
BDU:2021-02221
Уязвимость функции отложенной аутентификации deferred_auth программного обеспечения OpenVPN, позволяющая нарушителю вынудить сервер вернуть сообщение PUSH_REPLY c данными о настройках VPN до отправки сообщения AUTH_FAILED
CVE-2020-27569
Arbitrary File Write exists in Aviatrix VPN Client 2.8.2 and earlier. The VPN service writes logs to a location that is world writable and can be leveraged to gain write access to any file on the system.
CVE-2020-11810
An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can inject a data channel v2 (P_DATA_V2) packet using a victim's peer-id. Normally such packets are dropped, but if this packet arrives before the data channel crypto parameters have been initialized, the victim's connection will be dropped. This requires careful timing due to the small time window (usually within a few seconds) between the victim client connection starting and the server PUSH_REPLY response back to the client. This attack will only work if Negotiable Cipher Parameters (NCP) is in use.
CVE-2020-11810
An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can ...
CVE-2020-11810
An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can inject a data channel v2 (P_DATA_V2) packet using a victim's peer-id. Normally such packets are dropped, but if this packet arrives before the data channel crypto parameters have been initialized, the victim's connection will be dropped. This requires careful timing due to the small time window (usually within a few seconds) between the victim client connection starting and the server PUSH_REPLY response back to the client. This attack will only work if Negotiable Cipher Parameters (NCP) is in use.
BDU:2020-01777
Уязвимость программного обеспечения OpenVPN, существущая из-за недостаточной проверки входных данных, позволяющая нарушителю перевести сеанс клиента на новый IP-адрес и вызвать отказ в обслуживании
CVE-2020-7224
The Aviatrix OpenVPN client through 2.5.7 on Linux, macOS, and Windows is vulnerable when OpenSSL parameters are altered from the issued value set; the parameters could allow unauthorized third-party libraries to load.
openSUSE-SU-2018:1912-1
Security update for openvpn
SUSE-SU-2018:1888-1
Security update for openvpn
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | CVE-2020-15078 OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks. | CVSS3: 7.5 | 0% Низкий | почти 5 лет назад |
 | BDU:2021-02221 Уязвимость функции отложенной аутентификации deferred_auth программного обеспечения OpenVPN, позволяющая нарушителю вынудить сервер вернуть сообщение PUSH_REPLY c данными о настройках VPN до отправки сообщения AUTH_FAILED | CVSS3: 5.3 | 0% Низкий | почти 5 лет назад |
 | CVE-2020-27569 Arbitrary File Write exists in Aviatrix VPN Client 2.8.2 and earlier. The VPN service writes logs to a location that is world writable and can be leveraged to gain write access to any file on the system. | CVSS3: 7.5 | 0% Низкий | почти 5 лет назад |
| CVE-2020-11810 An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can inject a data channel v2 (P_DATA_V2) packet using a victim's peer-id. Normally such packets are dropped, but if this packet arrives before the data channel crypto parameters have been initialized, the victim's connection will be dropped. This requires careful timing due to the small time window (usually within a few seconds) between the victim client connection starting and the server PUSH_REPLY response back to the client. This attack will only work if Negotiable Cipher Parameters (NCP) is in use. | CVSS3: 3.7 | 2% Низкий | почти 6 лет назад |
| CVE-2020-11810 An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can ... | CVSS3: 3.7 | 2% Низкий | почти 6 лет назад |
| CVE-2020-11810 An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can inject a data channel v2 (P_DATA_V2) packet using a victim's peer-id. Normally such packets are dropped, but if this packet arrives before the data channel crypto parameters have been initialized, the victim's connection will be dropped. This requires careful timing due to the small time window (usually within a few seconds) between the victim client connection starting and the server PUSH_REPLY response back to the client. This attack will only work if Negotiable Cipher Parameters (NCP) is in use. | CVSS3: 3.7 | 2% Низкий | почти 6 лет назад |
| BDU:2020-01777 Уязвимость программного обеспечения OpenVPN, существущая из-за недостаточной проверки входных данных, позволяющая нарушителю перевести сеанс клиента на новый IP-адрес и вызвать отказ в обслуживании | CVSS3: 3.7 | почти 6 лет назад | |
| CVE-2020-7224 The Aviatrix OpenVPN client through 2.5.7 on Linux, macOS, and Windows is vulnerable when OpenSSL parameters are altered from the issued value set; the parameters could allow unauthorized third-party libraries to load. | CVSS3: 9.8 | 1% Низкий | почти 6 лет назад |
 | openSUSE-SU-2018:1912-1 Security update for openvpn | 0% Низкий | больше 7 лет назад | |
| SUSE-SU-2018:1888-1 Security update for openvpn | 0% Низкий | больше 7 лет назад |
Уязвимостей на страницу