Changes between Version 2 and Version 3 of CVE-2020-15078
- Timestamp:
- 04/21/21 12:28:00 (3 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
CVE-2020-15078
v2 v3 7 7 Under very specific circumstances it is possible to allow tricking a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. In combination with "--auth-gen-token" or a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account. 8 8 9 = Recommendations =9 = Fixed OpenVPN versions = 10 10 11 This vulnerabiliyt has been fixed in release/2.5 and release/2.4 branches. We recommend upgrading to OpenVPN 2.5.2 or 2.4.11. 11 This vulnerabiliyt has been fixed in 12 13 * release/2.5 branch (commits f7b3bf06, 3d18e308c4 and 3aca477a1b5) 14 * release/2.4 branch (commit 0e5516a9) 15 16 Releases with the fix are: 17 18 * OpenVPN 2.5.2 19 * OpenVPN 2.4.11