CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
45.2%
SoftEther VPN provided by University of Tsukuba SoftEther VPN Project and PacketiX VPN provided by SoftEther Corporation contain multiple vulnerabilities listed below in VPN Client function, and Dynamic DNS Client function included in the VPN server.
Heap-based buffer overflow (CWE-122) - CVE-2023-27395
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | Base Score: 8.1 |
CVSS v2 | AV:N/AC:H/Au:N/C:P/I:P/A:P | Base Score: 5.1 |
Integer overflow or wraparound (CWE-190) - CVE-2023-22325
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H | Base Score: 5.9 |
CVSS v2 | AV:N/AC:H/Au:N/C:N/I:N/A:P | Base Score: 2.6 |
Exposure of resource to wrong sphere (CWE-668) - CVE-2023-32275
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N | Base Score: 4.4 |
CVSS v2 | AV:L/AC:M/Au:S/C:P/I:N/A:N | Base Score: 1.5 |
Improper access control (CWE-284) - CVE-2023-27516
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L | Base Score: 7.0 |
CVSS v2 | AV:N/AC:H/Au:N/C:P/I:P/A:P | Base Score: 5.1 |
Channel accessible by non-endpoint (CWE-300) - CVE-2023-32634
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N | Base Score: 3.9 |
CVSS v2 | AV:L/AC:M/Au:S/C:P/I:P/A:N | Base Score: 3.0 |
Use of uninitialized resource (CWE-908) - CVE-2023-31192
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N | Base Score: 3.1 |
CVSS v2 | AV:N/AC:H/Au:S/C:P/I:N/A:N | Base Score: 2.1 |
Apply the Patch
Apply the appropriate patch according to the information provided by the developer.
Apply Workarounds
Applying the workarounds may mitigate the impacts of these vulnerabilities.
For the details, refer to the information provided by the developer.
CVE-2023-27395, CVE-2023-22325
SoftEther VPN 4.41 Build 9787 RTM and earlier
CVE-2023-32275, CVE-2023-27516, CVE-2023-32634, CVE-2023-31192
SoftEther VPN 4.41 Build 9787 RTM and earlier
Product version PacketiX VPN 4.41 Build 9787 RTM and earlier (Japan domestic sales only)