VDB

CISA-2024-5594

CISA-2024-5594 PUBLISHED CVSS 9.1 CRITICAL

Reported by OpenVPN · Published January 6, 2025

OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which an attacker controlling the server can use to inject unexpected arbitrary data ending up in client logs.

Risk Scores

CVSS 3.1
9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Products

VendorProductVersions
OpenVPNOpenVPN0
OpenVPNOpenVPN0, 0

Timeline

  • Jan 6, 2025 CVE Published
  • Apr 8, 2025 CVE Updated

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›