CVE-2021-45810

GlobalProtect-openconnect versions prior to 2.0.0 (exclusive) are affected by incorrect access control in GPService through DBUS, GUI. The way GlobalProtect-Openconnect is set up enables arbitrary users to start a VPN connection to arbitrary servers. By hosting an openconnect compatible server, the attack can redirect the entire host's traffic via their own server.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 54%
VendorProductVersion
globalprotect-openconnect_projectglobalprotect-openconnect
-
𝑥
= Vulnerable software versions
References
https://github.com/yuezk/GlobalProtect-openconnect/issues/114
https://github.com/yuezk/GlobalProtect-openconnect/issues/114#issuecomment-1914008203
https://github.com/yuezk/GlobalProtect-openconnect/issues/114
https://github.com/yuezk/GlobalProtect-openconnect/issues/114#issuecomment-1914008203