CVE-2017-7520
https://notcve.org/view.php?id=CVE-2017-7520
OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service and/or possibly sensitive memory leak triggered by man-in-the-middle attacker. Las versiones anteriores a 2.4.3 y anterior a 2.3.17 de OpenVPN, son vulnerables a la denegación de servicio y/o posiblemente a la pérdida de memoria confidencial activada por un atacante de tipo man-in-the-middle. • http://www.debian.org/security/2017/dsa-3900 http://www.securityfocus.com/bid/99230 http://www.securitytracker.com/id/1038768 https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243 • CWE-125: Out-of-bounds Read CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2017-7508
https://notcve.org/view.php?id=CVE-2017-7508
OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service when receiving malformed IPv6 packet. Las versiones anteriores a 2.4.3 y anterior a 2.3.17 de OpenVPN, son vulnerables a la denegación de servicio remota cuando se reciben paquetes IPv6 malformados. • http://www.debian.org/security/2017/dsa-3900 http://www.securityfocus.com/bid/99230 http://www.securitytracker.com/id/1038768 https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243 • CWE-617: Reachable Assertion •
CVE-2017-7522
https://notcve.org/view.php?id=CVE-2017-7522
OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service by authenticated remote attacker via sending a certificate with an embedded NULL character. Las versiones de OpenVPN anteriores a 2.4.3 y 2.3.17, son vulnerables a una denegación de servicio por parte de un atacante remoto autenticado mediante el envío de un certificado con un carácter NULL insertado. • http://www.securityfocus.com/bid/99230 http://www.securitytracker.com/id/1038768 https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243 • CWE-20: Improper Input Validation CWE-476: NULL Pointer Dereference •
CVE-2017-7521
https://notcve.org/view.php?id=CVE-2017-7521
OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service due to memory exhaustion caused by memory leaks and double-free issue in extract_x509_extension(). Las versiones de OpenVPN anteriores a 2.4.3 y 2.3.17, son vulnerables a una denegación de servicio remota debido a un agotamiento de memoria causado por pérdida de memoria y un problema de doble liberación (Double Free) en la función extract_x509_extension(). • http://www.debian.org/security/2017/dsa-3900 http://www.securityfocus.com/bid/99230 http://www.securitytracker.com/id/1038768 https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243 • CWE-400: Uncontrolled Resource Consumption CWE-415: Double Free CWE-772: Missing Release of Resource after Effective Lifetime •
CVE-2017-5868 – OpenVPN Access Server 2.1.4 CRLF Injection
https://notcve.org/view.php?id=CVE-2017-5868
CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via "%0A" characters in the PATH_INFO to __session_start__/. Una vulnerabilidad de inyección CRLF en la interfaz web en OpenVPN Access Server versión 2.1.4, permite a los atacantes remotos inyectar encabezados HTTP arbitrarios y, en consecuencia, conducir ataques de fijación de sesión y posiblemente ataques de división de respuesta HTTP por medio de caracteres "%0A" en la variable PATH_INFO en la función __session_start __ /. OpenVPN Access Server version 2.1.4 suffers from a CRLF injection vulnerability. • http://www.openwall.com/lists/oss-security/2017/05/23/13 http://www.securitytracker.com/id/1038547 https://sysdream.com/news/lab/2017-05-05-cve-2017-5868-openvpn-access-server-crlf-injection-with-session-fixation • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •