Improper Token Management in OpenVPN Access Server by OpenVPN
CVE-2020-15074

7.5HIGH

Key Information:

Vendor: Openvpn
Status: Openvpn Access Server
Vendor: CVE Published:; 14 July 2020

Summary

OpenVPN Access Server prior to version 2.8.4 and 2.9.5 has a vulnerability that allows for improper management of user authentication tokens. On reconnect, the server generates new tokens rather than reusing existing ones, which can lead to the circumvention of the initial token expiry timestamp. This behavior poses a security risk, allowing unauthorized access under certain conditions.

Affected Version(s)

OpenVPN Access Server 2.8.3 and prior versions in addition to 2.9.5

References

https://openvpn.net/vpn-server-resources/release-notes/

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 14, 2020
Vulnerability Reserved
Jun 25, 2020