XMLRPC Interface Vulnerability in OpenVPN Access Server
CVE-2020-11462

7.5HIGH

Key Information:

Vendor: Openvpn
Status: Openvpn Access Server
Vendor: CVE Published:; 4 May 2020

Summary

A vulnerability in OpenVPN Access Server allows for a potential Denial of Service (DoS) condition through the RPC2 interface when malicious XML Entity Expansion (XEE) payloads are sent. This affects versions prior to 2.7.0 and 2.8.x before 2.8.3, putting systems at risk of resource depletion depending on their memory and CPU capacity. Importantly, the default restricted mode of the RPC2 interface is not affected by this issue.

References

https://openvpn.net/vpn-server-resources/release-notes/#R...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 4, 2020
Vulnerability Reserved
Apr 1, 2020