CVE-2020-15078

CVE-2020-15078

Name

CVE-2020-15078

Description

OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
MISC	https://community.openvpn.net/openvpn/wiki/CVE-2020-15078
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JGEGLC4YGBDN5CGHTNWN2GH6DJJA36T2/
Third Party Advisory	https://security.gentoo.org/glsa/202105-25
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GJUXEYHUPREEBPX23VPEKMFXUPVO3PMU/
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PLDB3OBQ3AODYYRN7NRCABV6I4AUFAT6/
UBUNTU	https://usn.ubuntu.com/usn/usn-4933-1
Mailing List	https://lists.debian.org/debian-lts-announce/2022/05/msg00002.html

Type

URI

MISC

https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements

MISC

https://community.openvpn.net/openvpn/wiki/CVE-2020-15078

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JGEGLC4YGBDN5CGHTNWN2GH6DJJA36T2/

Third Party Advisory

https://security.gentoo.org/glsa/202105-25

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GJUXEYHUPREEBPX23VPEKMFXUPVO3PMU/

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PLDB3OBQ3AODYYRN7NRCABV6I4AUFAT6/

UBUNTU

https://usn.ubuntu.com/usn/usn-4933-1

Mailing List

https://lists.debian.org/debian-lts-announce/2022/05/msg00002.html

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:openvpn:openvpn::::::::`	openvpn	>= None	< 2.4.11
`cpe:2.3:a:openvpn:openvpn::::::::`	openvpn	>= 2.5.0	< 2.5.2

CPE URI

Source package

Min version

Max version

cpe:2.3:a:openvpn:openvpn:*:*:*:*:*:*:*:*

openvpn

>= None

< 2.4.11

cpe:2.3:a:openvpn:openvpn:*:*:*:*:*:*:*:*

openvpn

>= 2.5.0

< 2.5.2

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
openvpn	edge-main	2.5.2-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
openvpn	edge-main	2.4.9-r0	None	possibly vulnerable
openvpn	edge-main	2.4.6-r0	None	possibly vulnerable
openvpn	3.22-main	2.5.2-r0	None	fixed
openvpn	3.22-main	2.4.9-r0	None	possibly vulnerable
openvpn	3.22-main	2.4.6-r0	None	possibly vulnerable
openvpn	3.21-main	2.5.2-r0	None	fixed
openvpn	3.21-main	2.4.9-r0	None	possibly vulnerable
openvpn	3.21-main	2.4.6-r0	None	possibly vulnerable
openvpn	3.20-main	2.5.2-r0	None	fixed
openvpn	3.20-main	2.4.9-r0	None	possibly vulnerable
openvpn	3.20-main	2.4.6-r0	None	possibly vulnerable
openvpn	3.19-main	2.5.2-r0	None	fixed
openvpn	3.19-main	2.4.9-r0	None	possibly vulnerable
openvpn	3.19-main	2.4.6-r0	None	possibly vulnerable
openvpn	3.18-main	2.5.2-r0	None	fixed
openvpn	3.17-main	2.5.2-r0	None	fixed
openvpn	3.12-main	2.4.11-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
openvpn	3.11-main	2.4.11-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
openvpn	3.10-main	2.4.11-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed

Source package

Branch

Version

Maintainer

Status

openvpn

edge-main

2.5.2-r0

Natanael Copa <ncopa@alpinelinux.org>

fixed

openvpn

edge-main