Vulnerabilites related to OpenVPN - OpenVPN 2 (Community)
cve-2023-46850
Vulnerability from cvelistv5
Published
2023-11-11 00:15
Modified
2025-02-13 17:14
Severity ?
EPSS score ?
Summary
Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir, leaking memory buffers or remote execution when sending network buffers to a remote peer.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | OpenVPN | OpenVPN 2 (Community) |
Version: 2.6.0 |
||||||
|
|||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T20:53:21.910Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://community.openvpn.net/openvpn/wiki/CVE-2023-46850", }, { tags: [ "x_transferred", ], url: "https://openvpn.net/security-advisory/access-server-security-update-cve-2023-46849-cve-2023-46850/", }, { tags: [ "x_transferred", ], url: "https://www.debian.org/security/2023/dsa-5555", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3FS46ANNTAVLIQY56ZKGM5CBTRVBUNE/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O54I7D753V6PU6XBU26FEROD2DSHEJQ4/", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-46850", options: [ { Exploitation: "None", }, { Automatable: "yes", }, { "Technical Impact": "Total", }, ], role: "CISA Coordinator", timestamp: "2025-01-08T21:43:36.505056Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-01-08T21:44:02.391Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "OpenVPN 2 (Community)", vendor: "OpenVPN", versions: [ { lessThanOrEqual: "2.6.6", status: "affected", version: "2.6.0", versionType: "minor release", }, ], }, { defaultStatus: "unaffected", platforms: [ "Linux", ], product: "Access Server", vendor: "OpenVPN", versions: [ { lessThanOrEqual: "2.11.3", status: "affected", version: "2.11.0", versionType: "patch release", }, { lessThanOrEqual: "2.12.2", status: "affected", version: "2.12.0", versionType: "patch release", }, ], }, ], descriptions: [ { lang: "en", value: "Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir, leaking memory buffers or remote execution when sending network buffers to a remote peer.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-416", description: "CWE-416 Use After Free", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-11-29T02:06:20.991Z", orgId: "36a55730-e66d-4d39-8ca6-3c3b3017965e", shortName: "OpenVPN", }, references: [ { url: "https://community.openvpn.net/openvpn/wiki/CVE-2023-46850", }, { url: "https://openvpn.net/security-advisory/access-server-security-update-cve-2023-46849-cve-2023-46850/", }, { url: "https://www.debian.org/security/2023/dsa-5555", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3FS46ANNTAVLIQY56ZKGM5CBTRVBUNE/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O54I7D753V6PU6XBU26FEROD2DSHEJQ4/", }, ], }, }, cveMetadata: { assignerOrgId: "36a55730-e66d-4d39-8ca6-3c3b3017965e", assignerShortName: "OpenVPN", cveId: "CVE-2023-46850", datePublished: "2023-11-11T00:15:07.076Z", dateReserved: "2023-10-27T13:38:49.496Z", dateUpdated: "2025-02-13T17:14:45.269Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-46849
Vulnerability from cvelistv5
Published
2023-11-11 00:05
Modified
2025-02-13 17:14
Severity ?
EPSS score ?
Summary
Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by zero behaviour which could cause an application crash, leading to a denial of service.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | OpenVPN | OpenVPN 2 (Community) |
Version: 2.6.0 |
||||||
|
|||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T20:53:21.915Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://community.openvpn.net/openvpn/wiki/CVE-2023-46849", }, { tags: [ "x_transferred", ], url: "https://openvpn.net/security-advisory/access-server-security-update-cve-2023-46849-cve-2023-46850/", }, { tags: [ "x_transferred", ], url: "https://www.debian.org/security/2023/dsa-5555", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3FS46ANNTAVLIQY56ZKGM5CBTRVBUNE/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O54I7D753V6PU6XBU26FEROD2DSHEJQ4/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "OpenVPN 2 (Community)", vendor: "OpenVPN", versions: [ { lessThanOrEqual: "2.6.6", status: "affected", version: "2.6.0", versionType: "minor release", }, ], }, { defaultStatus: "unaffected", platforms: [ "Linux", ], product: "Access Server", vendor: "OpenVPN", versions: [ { lessThanOrEqual: "2.11.3", status: "affected", version: "2.11.0", versionType: "patch release", }, { lessThanOrEqual: "2.12.1", status: "affected", version: "2.12.0", versionType: "patch release", }, ], }, ], descriptions: [ { lang: "en", value: "Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by zero behaviour which could cause an application crash, leading to a denial of service.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-369", description: "CWE-369 Divide By Zero", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-11-29T02:06:19.217Z", orgId: "36a55730-e66d-4d39-8ca6-3c3b3017965e", shortName: "OpenVPN", }, references: [ { url: "https://community.openvpn.net/openvpn/wiki/CVE-2023-46849", }, { url: "https://openvpn.net/security-advisory/access-server-security-update-cve-2023-46849-cve-2023-46850/", }, { url: "https://www.debian.org/security/2023/dsa-5555", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3FS46ANNTAVLIQY56ZKGM5CBTRVBUNE/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O54I7D753V6PU6XBU26FEROD2DSHEJQ4/", }, ], }, }, cveMetadata: { assignerOrgId: "36a55730-e66d-4d39-8ca6-3c3b3017965e", assignerShortName: "OpenVPN", cveId: "CVE-2023-46849", datePublished: "2023-11-11T00:05:13.487Z", dateReserved: "2023-10-27T13:38:49.496Z", dateUpdated: "2025-02-13T17:14:44.708Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }