CVE-2024-8474

EUVD-2024-49629
OpenVPN Connect before version 3.5.0 can contain the configuration profile's clear-text private key which is logged in the application log, which an unauthorized actor can use to decrypt the VPN traffic
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
OpenVPNCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 77%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
openvpnconnect
𝑥
≤ 3.5.0
CNA
Common Weakness Enumeration
References
https://openvpn.net/connect-docs/android-release-notes.html