CVE-2017-5868

CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via "%0A" characters in the PATH_INFO to session_start/.

Published: May 26, 2017
Updated: Apr 13, 2023
CVE: CVE-2017-5868
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-93

Affected Software
References

Software	From	Fixed in
openvpn / openvpn_access_server	2.1.4	2.1.4.x

http://www.openwall.com/lists/oss-security/2017/05/23/13
http://www.securitytracker.com/id/1038547
https://sysdream.com/news/lab/2017-05-05-cve-2017-5868-openvpn-access-server-crlf-injection-with-session-fixation/

Vulnerability Database

289,697

CVE-2017-5868