CVE-2020-15074 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
OpenVPN	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 50%

Vendor	Product	Version
openvpn	openvpn_access_server	𝑥 < 2.8.4
openvpn	openvpn_access_server	2.9.0 ≤ 𝑥 < 2.9.6

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

openvpn

focal	not-affected
eoan	ignored
bionic	not-affected
xenial	not-affected
trusty	not-affected

Common Weakness Enumeration

CWE-302 - Authentication Bypass by Assumed-Immutable Data
The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.
CWE-613 - Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References

https://openvpn.net/vpn-server-resources/release-notes/

https://openvpn.net/vpn-server-resources/release-notes/