Vulnerabilities > Openvpn
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-05-26 | CVE-2017-5868 | CRLF Injection vulnerability in Openvpn Access Server 2.1.4 CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via "%0A" characters in the PATH_INFO to __session_start__/. | 4.3 |
| 2017-05-15 | CVE-2017-7479 | Reachable Assertion vulnerability in Openvpn OpenVPN versions before 2.3.15 and before 2.4.2 are vulnerable to reachable assertion when packet-ID counter rolls over resulting into Denial of Service of server by authenticated attacker. | 4.0 |
| 2017-05-15 | CVE-2017-7478 | Improper Input Validation vulnerability in Openvpn OpenVPN version 2.3.12 and newer is vulnerable to unauthenticated Denial of Service of server via received large control packet. | 5.0 |
| 2017-01-31 | CVE-2016-6329 | Information Exposure vulnerability in Openvpn OpenVPN, when using a 64-bit block cipher, makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTP-over-OpenVPN session using Blowfish in CBC mode, aka a "Sweet32" attack. | 4.3 |
| 2014-12-03 | CVE-2014-8104 | Resource Management Errors vulnerability in multiple products OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before 2.3.6 allows remote authenticated users to cause a denial of service (server crash) via a small control channel packet. | 6.8 |
| 2014-11-26 | CVE-2014-9104 | Cross-Site Request Forgery (CSRF) vulnerability in Openvpn Access Server 1.5.6 Multiple cross-site request forgery (CSRF) vulnerabilities in the XML-RPC API in the Desktop Client in OpenVPN Access Server 1.5.6 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) disconnecting established VPN sessions, (2) connect to arbitrary VPN servers, or (3) create VPN profiles and execute arbitrary commands via crafted API requests. | 6.8 |
| 2014-08-25 | CVE-2014-5455 | Unquoted Search Path OR Element vulnerability in multiple products Unquoted Windows search path vulnerability in the ptservice service prior to PrivateTunnel version 3.0 (Windows) and OpenVPN Connect version 3.1 (Windows) allows local users to gain privileges via a crafted program.exe file in the %SYSTEMDRIVE% folder. | 6.9 |
| 2014-05-13 | CVE-2013-2692 | Cross-Site Request Forgery (CSRF) vulnerability in Openvpn Access Server 1.5.6 Cross-site request forgery (CSRF) vulnerability in the Admin web interface in OpenVPN Access Server before 1.8.5 allows remote attackers to hijack the authentication of administrators for requests that create administrative users. | 6.8 |
| 2013-11-18 | CVE-2013-2061 | Information Exposure vulnerability in multiple products The openvpn_decrypt function in crypto.c in OpenVPN 2.3.0 and earlier, when running in UDP mode, allows remote attackers to obtain sensitive information via a timing attack involving an HMAC comparison function that does not run in constant time and a padding oracle attack on the CBC mode cipher. | 2.6 |
| 2008-08-04 | CVE-2008-3459 | Configuration vulnerability in Openvpn 2.1 Unspecified vulnerability in OpenVPN 2.1-beta14 through 2.1-rc8, when running on non-Windows systems, allows remote servers to execute arbitrary commands via crafted (1) lladdr and (2) iproute configuration directives, probably related to shell metacharacters. | 7.6 |