CVE Vulnerabilities

CVE-2020-15078

Authentication Bypass by Primary Weakness

Published: Apr 26, 2021 | Modified: Nov 21, 2024
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:N
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.

Weakness

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

Affected Software

Name Vendor Start Version End Version
Openvpn Openvpn * 2.4.11 (excluding)
Openvpn Openvpn 2.5.0 (including) 2.5.2 (excluding)
Openvpn Ubuntu bionic *
Openvpn Ubuntu devel *
Openvpn Ubuntu focal *
Openvpn Ubuntu groovy *
Openvpn Ubuntu hirsute *
Openvpn Ubuntu impish *
Openvpn Ubuntu jammy *
Openvpn Ubuntu trusty *
Openvpn Ubuntu upstream *

References