7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.017 Low
EPSS
Percentile
87.8%
Samuli Seppänen reports:
In May/June 2017 Guido Vranken threw a fuzzer at OpenVPN 2.4.2. In
the process he found several vulnerabilities and reported them to
the OpenVPN project. […] The first releases to have these fixes are OpenVPN 2.4.3 and 2.3.17.
This is a list of fixed important vulnerabilities:
Remotely-triggerable ASSERT() on malformed IPv6 packet
Pre-authentication remote crash/information disclosure for clients
Potential double-free in --x509-alt-username
Remote-triggerable memory leaks
Post-authentication remote DoS when using the --x509-track option
Null-pointer dereference in establish_http_proxy_passthru()
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.017 Low
EPSS
Percentile
87.8%