CVE-2022-0547

OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.

References

Affected packages

Git / github.com/openvpn/openvpn

Affected ranges

Type

GIT

Repo

https://github.com/openvpn/openvpn

Events

Introduced

4580320b22946a1dd65039a6efcd616ee5e4ac3b

Fixed

058407a89cb812115b383570b12f4c2fde500d39

Introduced

a73072d8f780e888aca7d79b993b1e59c9d8f364

Fixed

e8df2e64d6f817e63025f78b29bc624772d5c3d6

Database specific

{
    "versions": [
        {
            "introduced": "2.1.0"
        },
        {
            "fixed": "2.4.12"
        },
        {
            "introduced": "2.5.0"
        },
        {
            "fixed": "2.5.6"
        }
    ]
}

Affected versions

v2.*

v2.1.0

v2.1.1

v2.1.2

v2.1.3

v2.2-RC

v2.2-RC2

v2.2-beta4

v2.2-beta5

v2.3-alpha1

v2.3_alpha2

v2.3_alpha3

v2.3_beta1

v2.4.0

v2.4.1

v2.4.10

v2.4.11

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7

v2.4.8

v2.4.9

v2.4_alpha1

v2.4_alpha2

v2.4_beta1

v2.4_beta2

v2.4_rc1

v2.4_rc2

v2.5.0

v2.5.1

v2.5.2

v2.5.3

v2.5.4

v2.5.5

v2.5_beta1

v2.5_beta2

v2.5_beta3

v2.5_beta4

v2.5_rc1

v2.5_rc2

v2.5_rc3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-0547.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "34"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "36"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "9.0"
            }
        ]
    }
]