CVE-2020-15078

Description

OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.

Affected Software
References

Software	From	Fixed in
debian / debian_linux	9.0	9.0.x
fedoraproject / fedora	32	32.x
fedoraproject / fedora	33	33.x
fedoraproject / fedora	34	34.x
canonical / ubuntu_linux	18.04	18.04.x
canonical / ubuntu_linux	20.04	20.04.x
canonical / ubuntu_linux	20.10	20.10.x
canonical / ubuntu_linux	21.04	21.04.x
openvpn / openvpn	-	2.4.11
openvpn / openvpn	2.5.0	2.5.2

https://community.openvpn.net/openvpn/wiki/CVE-2020-15078
https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
https://lists.debian.org/debian-lts-announce/2022/05/msg00002.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/GJUXEYHUPREEBPX23VPEKMFXUPVO3PMU/
https://lists.fedoraproject.org/archives/list/[email protected]/message/JGEGLC4YGBDN5CGHTNWN2GH6DJJA36T2/
https://lists.fedoraproject.org/archives/list/[email protected]/message/PLDB3OBQ3AODYYRN7NRCABV6I4AUFAT6/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GJUXEYHUPREEBPX23VPEKMFXUPVO3PMU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JGEGLC4YGBDN5CGHTNWN2GH6DJJA36T2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLDB3OBQ3AODYYRN7NRCABV6I4AUFAT6/
https://security.gentoo.org/glsa/202105-25
https://usn.ubuntu.com/usn/usn-4933-1

Severity: High

CVE: CVE-2020-15078
Published: Apr 26, 2021
Updated: Apr 13, 2023
Exploit:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-306

CVE-2020-15078

Description

Details

CVSS v3

CVSS v2

CWEs