Published: 26/05/2017 Updated: 06/06/2017

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 6.1 | Impact Score: 2.7 | Exploitability Score: 2.8

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote malicious users to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via "%0A" characters in the PATH_INFO to __session_start__/.

Vulnerable Product	Search on Vulmon	Subscribe to Product
openvpn openvpn access server 2.1.4

OpenVPN Access Server version 214 suffers from a CRLF injection vulnerability ...

Last week: 'OpenVPN client is secure!' This week: 'Unpatched bug in OpenVPN server'

The Register • Richard Chirgwin • 24 May 2017

And it's a nasty one if the user you crack has admin rights

French security outfit Sysdream has gone public with a vulnerability in the admin interface for OpenVPN's server. The finding is a bit awkward because it comes after OpenVPN's client got a clean bill of health in two independent security audits earlier this month. The attack, designated CVE-2017-5868, was published by Sysdream's Julien Boulet 90 days after the company says OpenVPN first acknowledged the issue. While waiting for a fix, this OSS-SEC post suggests users put a reverse proxy between ...

CVE-2017-5868

Vulnerability Summary

Vulnerability Trend

Exploits

Recent Articles

References

Vulmon Search

About

Products

Connect