CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-4234
https://notcve.org/view.php?id=CVE-2021-4234
06 Jul 2022 — OpenVPN Access Server 2.10 and prior versions are susceptible to resending multiple packets in a response to a reset packet sent from the client which the client again does not respond to, resulting in a limited amplification attack. OpenVPN Access Server versiones 2.10 y versiones anteriores, son susceptibles de reenviar múltiples paquetes en respuesta a un paquete de reinicio enviado desde el cliente al que éste no responde de nuevo, resultando en un ataque de amplificación limitada • https://openvpn.net/vpn-server-resources/release-notes/#openvpn-access-server-2-11-0 • CWE-406: Insufficient Control of Network Message Volume (Network Amplification) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-33738
https://notcve.org/view.php?id=CVE-2022-33738
06 Jul 2022 — OpenVPN Access Server before 2.11 uses a weak random generator used to create user session token for the web portal OpenVPN Access Server versiones anteriores a 2.11, usa un generador aleatorio débil para crear un token de sesión de usuario para el portal web • https://openvpn.net/vpn-server-resources/release-notes/#openvpn-access-server-2-11-0 • CWE-331: Insufficient Entropy CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15077
https://notcve.org/view.php?id=CVE-2020-15077
04 Jun 2021 — OpenVPN Access Server 2.8.7 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks. OpenVPN Access Server versiones 2.8.7 y anteriores, permiten a atacantes remotos omitir la autenticación y los datos del canal de control de acceso en servidores configurados con autenticación diferida, que puede ser usado para desencadenar potencialmente nuev... • https://openvpn.net/security-advisory/access-server-security-update-cve-2020-15077 • CWE-287: Improper Authentication CWE-305: Authentication Bypass by Primary Weakness •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-15074
https://notcve.org/view.php?id=CVE-2020-15074
14 Jul 2020 — OpenVPN Access Server older than version 2.8.4 and version 2.9.5 generates new user authentication tokens instead of reusing exiting tokens on reconnect making it possible to circumvent the initial token expiry timestamp. El servidor de acceso OpenVPN anterior a la versión 2.8.4 y la versión 2.9.5 genera nuevos tokens de autenticación de usuario en lugar de reutilizar los tokens existentes en la reconexión, lo que permite eludir la marca de tiempo de caducidad del token inicial • https://openvpn.net/vpn-server-resources/release-notes • CWE-302: Authentication Bypass by Assumed-Immutable Data CWE-613: Insufficient Session Expiration •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-11462
https://notcve.org/view.php?id=CVE-2020-11462
04 May 2020 — An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8.x before 2.8.3. With the full featured RPC2 interface enabled, it is possible to achieve a temporary DoS state of the management interface when sending an XML Entity Expansion (XEE) payload to the XMLRPC based RPC2 interface. The duration of the DoS state depends on available memory and CPU speed. The default restricted mode of the RPC2 interface is NOT vulnerable. Se ha descubierto un problema en OpenVPN Access Server versiones anteriore... • https://openvpn.net/vpn-server-resources/release-notes/#Release_notes_for_OpenVPN_Access_Server_283 • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVSS: 6.8EPSS: 1%CPEs: 142EXPL: 0CVE-2014-8104 – Mandriva Linux Security Advisory 2014-246
https://notcve.org/view.php?id=CVE-2014-8104
02 Dec 2014 — OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before 2.3.6 allows remote authenticated users to cause a denial of service (server crash) via a small control channel packet. OpenVPN 2.x anterior a 2.0.11, 2.1.x, 2.2.x anterior a 2.2.3, y 2.3.x anterior a 2.3.6 permite a usuarios remotos autenticados causar una denegación de servicio (caída del servidor) a través de un paquete de canal de control pequeño. Dragana Damjanovic discovered that OpenVPN incorrectly handled certain control channel ... • http://advisories.mageia.org/MGASA-2014-0512.html • CWE-399: Resource Management Errors •
CVSS: 5.9EPSS: 0%CPEs: 16EXPL: 1CVE-2013-2061 – Mandriva Linux Security Advisory 2013-167
https://notcve.org/view.php?id=CVE-2013-2061
28 May 2013 — The openvpn_decrypt function in crypto.c in OpenVPN 2.3.0 and earlier, when running in UDP mode, allows remote attackers to obtain sensitive information via a timing attack involving an HMAC comparison function that does not run in constant time and a padding oracle attack on the CBC mode cipher. La función openvpn_decrypt en el archivo crypto.c en OpenVPN versiones 2.3.0 y anteriores, cuando se ejecuta en modo UDP, permite a los atacantes remotos obtener información confidencial por medio de un ataque de s... • http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105568.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •