CVE-2023-6247: PKCS#7 parser in OpenVPN 3 Core Library can result in NULL-dereference
The PKCS#7 parser in OpenVPN 3 Core Library versions through 3.8.3 did not properly validate the parsed data, which would result in the application crashing.
This is resolved in OpenVPN 3 Core Library version 3.8.4.
Note
The code paths this issue is related to is never used for OpenVPN connections. The related code is only used in some of the AWS API support functionality present in the library.
References
- MITRE CVE Record: https://www.cve.org/CVERecord?id=CVE-2023-6247
- OpenVPN 3 Core commit: https://github.com/OpenVPN/openvpn3/commit/afdfe1bb3f4c54e8794
- Reported by: Bahaa Naamneh
Last modified 9 months ago
Last modified on 03/18/24 17:57:19