Changes between Version 4 and Version 5 of CVE-2020-15078
- Timestamp:
- 04/21/21 12:28:50 (3 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
CVE-2020-15078
v4 v5 1 1 = CVE-2020-15078 = 2 3 == Overview == 2 4 3 5 OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks. 4 6 5 = Detailed description=7 == Detailed description == 6 8 7 9 Under very specific circumstances it is possible to allow tricking a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. In combination with "--auth-gen-token" or a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account. 8 10 9 = Fixed OpenVPN versions=11 == Fixed OpenVPN versions == 10 12 11 13 This vulnerability has been fixed in … … 18 20 * OpenVPN 2.5.2 19 21 * OpenVPN 2.4.11 22 23 == Recommendations == 24 25 We recommend upgrading to a fixed version.