CVE-2023-46849

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by zero behaviour which could cause an application crash, leading to a denial of service.

El uso de la opción --fragment en ciertas configuraciones de OpenVPN versión 2.6.0 a 2.6.6 permite a un atacante desencadenar un comportamiento de división por cero que podría provocar un bloqueo de la aplicación y provocar una denegación de servicio.

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-10-27 CVE Reserved
2023-11-11 CVE Published
2024-08-02 CVE Updated
2024-11-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-369: Divide By Zero

CAPEC

References (5)

URL	Tag	Source
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3FS46ANNTAVLIQY56ZKGM5CBTRVBUNE	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O54I7D753V6PU6XBU26FEROD2DSHEJQ4
https://www.debian.org/security/2023/dsa-5555	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://community.openvpn.net/openvpn/wiki/CVE-2023-46849	2023-11-29
https://openvpn.net/security-advisory/access-server-security-update-cve-2023-46849-cve-2023-46850	2023-11-29

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Openvpn Search vendor "Openvpn"		Openvpn Search vendor "Openvpn" for product "Openvpn"				>= 2.6.0 <= 2.6.6 Search vendor "Openvpn" for product "Openvpn" and version " >= 2.6.0 <= 2.6.6"		community		Affected
Openvpn Search vendor "Openvpn"		Openvpn Access Server Search vendor "Openvpn" for product "Openvpn Access Server"				>= 2.11.0 <= 2.11.3 Search vendor "Openvpn" for product "Openvpn Access Server" and version " >= 2.11.0 <= 2.11.3"		-		Affected
Openvpn Search vendor "Openvpn"		Openvpn Access Server Search vendor "Openvpn" for product "Openvpn Access Server"				2.12.0 Search vendor "Openvpn" for product "Openvpn Access Server" and version "2.12.0"		-		Affected
Openvpn Search vendor "Openvpn"		Openvpn Access Server Search vendor "Openvpn" for product "Openvpn Access Server"				2.12.1 Search vendor "Openvpn" for product "Openvpn Access Server" and version "2.12.1"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				12.0 Search vendor "Debian" for product "Debian Linux" and version "12.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				39 Search vendor "Fedoraproject" for product "Fedora" and version "39"		-		Affected