CVE-2022-0547
18.03.2022, 18:15
OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| openvpn | openvpn | 2.1.0 ≤ 𝑥 < 2.4.12 |
| openvpn | openvpn | 2.5.0 ≤ 𝑥 < 2.5.6 |
| debian | debian_linux | 9.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| openvpn |
|
openSUSE / SLES Releases
openSUSE Product | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| openvpn |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| openvpn-auth-pam-plugin |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| openvpn-dco |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| openvpn-dco-devel |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| openvpn-devel |
|
Common Weakness Enumeration
- CWE-305 - Authentication Bypass by Primary WeaknessThe authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
- CWE-287 - Improper AuthenticationWhen an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
References