CVE-2023-27395

2023-10-1216:15:11

CWE-122

CWE-787

[email protected]

web.nvd.nist.gov

vpnserver

wpcparsepacket

network packet

arbitrary code execution

man-in-the-middle attack

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

0.001

Percentile

45.2%

JSON

A heap-based buffer overflow vulnerability exists in the vpnserver WpcParsePacket() functionality of SoftEther VPN 4.41-9782-beta, 5.01.9674 and 5.02. A specially crafted network packet can lead to arbitrary code execution. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.

Affected configurations

Nvd

Node

softethervpnMatch4.41-9782beta

softethervpnMatch5.01.9674

softethervpnMatch5.02

VendorProductVersionCPE
softethervpn4.41-9782cpe:2.3:a:softether:vpn:4.41-9782:beta:*:*:*:*:*:*
softethervpn5.01.9674cpe:2.3:a:softether:vpn:5.01.9674:*:*:*:*:*:*:*
softethervpn5.02cpe:2.3:a:softether:vpn:5.02:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
softether	vpn	4.41-9782	cpe:2.3:a:softether:vpn:4.41-9782:beta::::::
softether	vpn	5.01.9674	cpe:2.3:a:softether:vpn:5.01.9674:::::::*
softether	vpn	5.02	cpe:2.3:a:softether:vpn:5.02:::::::*