CVE-2024-34446
Severity Score
7.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Attend
*SSVC
Descriptions
Mullvad VPN through 2024.1 on Android does not set a DNS server in the blocking state (after a hard failure to create a tunnel), and thus DNS traffic can leave the device. Data showing that the affected device was the origin of sensitive DNS requests may be observed and logged by operators of unintended DNS servers.
Mullvad VPN hasta 2024.1 en Android no configura un servidor DNS en estado de bloqueo (después de un error grave al crear un túnel) y, por lo tanto, el tráfico DNS puede salir del dispositivo. Los operadores de servidores DNS no deseados pueden observar y registrar datos que muestren que el dispositivo afectado fue el origen de solicitudes DNS confidenciales.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Attend
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-05-03 CVE Reserved
- 2024-05-03 CVE Published
- 2024-05-04 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-923: Improper Restriction of Communication Channel to Intended Endpoints
CAPEC
References (5)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Mullvad Search vendor "Mullvad" | Mullvad Vpn Search vendor "Mullvad" for product "Mullvad Vpn" | * | - |
Affected
| ||||||