Lucene search

[email protected]CVE-2022-0547

HistoryMar 18, 2022 - 6:15 p.m.

CVE-2022-0547

2022-03-1818:15:12

CWE-287

CWE-305

[email protected]

web.nvd.nist.gov

1008

cve-2022-0547

openvpn

authentication bypass

external authentication

security vulnerability

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

AI Score

Confidence

High

0.007 Low

EPSS

Percentile

80.5%

JSON

OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.

Affected configurations

NVD

Node

openvpnopenvpnRange2.1.0–2.4.12

openvpnopenvpnRange2.5.0–2.5.6

Node

fedoraprojectfedoraMatch34

fedoraprojectfedoraMatch36

Node

debiandebian_linuxMatch9.0

CPENameOperatorVersion
openvpn:openvpnopenvpnlt2.4.12
openvpn:openvpnopenvpnlt2.5.6

CPE	Name	Operator	Version
openvpn:openvpn	openvpn	lt	2.4.12
openvpn:openvpn	openvpn	lt	2.5.6

CNA Affected

[
  {
    "product": "OpenVPN",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "version 2.1 until version 2.4.12 and 2.5.6."
      }
    ]
  }
]