The nodejs framework in OpenVPN Connect 3.0 through 3.4.3 (Windows)/3.4.7 (macOS) was not properly configured, which allows a local user to execute arbitrary code within the nodejs process context via the ELECTRON_RUN_AS_NODE environment variable
[
{
"vendor": "OpenVPN",
"product": "OpenVPN Connect",
"platforms": [
"Windows",
"MacOS"
],
"versions": [
{
"status": "affected",
"version": "3.0 (Windows)",
"lessThanOrEqual": "3.4.3",
"versionType": "minor releases"
},
{
"status": "affected",
"version": "3.0 (macOS) ",
"lessThanOrEqual": "3.4.7",
"versionType": "minor releases"
}
],
"defaultStatus": "unaffected"
}
]