CVE-2020-15078

Name
CVE-2020-15078
Description
OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
MISC https://community.openvpn.net/openvpn/wiki/CVE-2020-15078
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JGEGLC4YGBDN5CGHTNWN2GH6DJJA36T2/
Third Party Advisory https://security.gentoo.org/glsa/202105-25
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GJUXEYHUPREEBPX23VPEKMFXUPVO3PMU/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PLDB3OBQ3AODYYRN7NRCABV6I4AUFAT6/
UBUNTU https://usn.ubuntu.com/usn/usn-4933-1
Mailing List https://lists.debian.org/debian-lts-announce/2022/05/msg00002.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:openvpn:openvpn:*:*:*:*:*:*:*:* openvpn >= None < 2.4.11
cpe:2.3:a:openvpn:openvpn:*:*:*:*:*:*:*:* openvpn >= 2.5.0 < 2.5.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
openvpn 3.11-main 2.4.11-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
openvpn 3.10-main 2.4.11-r0 Natanael Copa <ncopa@alpinelinux.org> fixed