CVSS: 10.0EPSS: 5%CPEs: 5EXPL: 0CVE-2023-46850 – Ubuntu Security Notice USN-6484-1
https://notcve.org/view.php?id=CVE-2023-46850
11 Nov 2023 — Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir, leaking memory buffers or remote execution when sending network buffers to a remote peer. Use after free en OpenVPN versión 2.6.0 a 2.6.6 puede provocar un comportamiento indefinido, pérdida de búferes de memoria o ejecución remota al enviar búferes de red a un par remoto. It was discovered that OpenVPN incorrectly handled the --fragment option in certain configurations. A remote attacker could possibly use this issue to cause ... • https://community.openvpn.net/openvpn/wiki/CVE-2023-46850 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 1%CPEs: 6EXPL: 0CVE-2023-46849 – Ubuntu Security Notice USN-6484-1
https://notcve.org/view.php?id=CVE-2023-46849
11 Nov 2023 — Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by zero behaviour which could cause an application crash, leading to a denial of service. El uso de la opción --fragment en ciertas configuraciones de OpenVPN versión 2.6.0 a 2.6.6 permite a un atacante desencadenar un comportamiento de división por cero que podría provocar un bloqueo de la aplicación y provocar una denegación de servicio. It was discovered that OpenVPN incorrect... • https://community.openvpn.net/openvpn/wiki/CVE-2023-46849 • CWE-369: Divide By Zero •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-4234
https://notcve.org/view.php?id=CVE-2021-4234
06 Jul 2022 — OpenVPN Access Server 2.10 and prior versions are susceptible to resending multiple packets in a response to a reset packet sent from the client which the client again does not respond to, resulting in a limited amplification attack. OpenVPN Access Server versiones 2.10 y versiones anteriores, son susceptibles de reenviar múltiples paquetes en respuesta a un paquete de reinicio enviado desde el cliente al que éste no responde de nuevo, resultando en un ataque de amplificación limitada • https://openvpn.net/vpn-server-resources/release-notes/#openvpn-access-server-2-11-0 • CWE-406: Insufficient Control of Network Message Volume (Network Amplification) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-33738
https://notcve.org/view.php?id=CVE-2022-33738
06 Jul 2022 — OpenVPN Access Server before 2.11 uses a weak random generator used to create user session token for the web portal OpenVPN Access Server versiones anteriores a 2.11, usa un generador aleatorio débil para crear un token de sesión de usuario para el portal web • https://openvpn.net/vpn-server-resources/release-notes/#openvpn-access-server-2-11-0 • CWE-331: Insufficient Entropy CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-33737
https://notcve.org/view.php?id=CVE-2022-33737
06 Jul 2022 — The OpenVPN Access Server installer creates a log file readable for everyone, which from version 2.10.0 and before 2.11.0 may contain a random generated admin password El instalador de OpenVPN Access Server crea un archivo de registro legible para todo el mundo, que a partir de la versión 2.10.0 y versiones anteriores a 2.11.0, puede contener una contraseña de administrador generada aleatoriamente • https://openvpn.net/vpn-server-resources/release-notes • CWE-532: Insertion of Sensitive Information into Log File CWE-708: Incorrect Ownership Assignment •