CVE-2020-11462
Last modified
CVE-2020-11462 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8.x before 2.8.3. With the full featured RPC2 interface enabled, it is possible to achieve a temporary DoS state of the management interface when sending an XML Entity Expansion (XEE) payload to the XMLRPC based RPC2 interface. EPSS estimates a 1.25% chance of exploitation in the next 30 days.
Description
An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8.x before 2.8.3. With the full featured RPC2 interface enabled, it is possible to achieve a temporary DoS state of the management interface when sending an XML Entity Expansion (XEE) payload to the XMLRPC based RPC2 interface. The duration of the DoS state depends on available memory and CPU speed. The default restricted mode of the RPC2 interface is NOT vulnerable.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Openvpn | Openvpn Access Server | < 2.7.0 |
| Openvpn | Openvpn Access Server | >= 2.8.0, <= 2.8.3 |
References
- https://openvpn.net/vpn-server-resources/release-notes/#Release_notes_for_OpenVPN_Access_Server_283Release Notes, Vendor Advisory
- https://openvpn.net/vpn-server-resources/release-notes/#Release_notes_for_OpenVPN_Access_Server_283Release Notes, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-11462?
How severe is CVE-2020-11462?
How do I fix CVE-2020-11462?
Are you affected by CVE-2020-11462?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST