CVE-2020-15074
EUVD-2020-720214.07.2020, 18:15
OpenVPN Access Server older than version 2.8.4 and version 2.9.5 generates new user authentication tokens instead of reusing exiting tokens on reconnect making it possible to circumvent the initial token expiry timestamp.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn_access_server | 𝑥 < 2.8.4 |
| openvpn | openvpn_access_server | 2.9.0 ≤ 𝑥 < 2.9.6 |
𝑥
= Vulnerable software versions
Ubuntu Releases
Common Weakness Enumeration
- CWE-302 - Authentication Bypass by Assumed-Immutable DataThe authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.
- CWE-613 - Insufficient Session ExpirationAccording to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."