CVE-2020-15078

moderate-risk

Published 2021-04-26

OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.

Do I need to act?

0.33% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (9)

Openvpn

Fedora

Ubuntu Linux

Debian Linux

Affected Vendors

Debian Canonical Openvpn Fedoraproject

References (16)

Patch https://community.openvpn.net/openvpn/wiki/CVE-2020-15078

Broken Link https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements

Mailing List https://lists.debian.org/debian-lts-announce/2022/05/msg00002.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory https://security.gentoo.org/glsa/202105-25

Third Party Advisory https://usn.ubuntu.com/usn/usn-4933-1

Patch https://community.openvpn.net/openvpn/wiki/CVE-2020-15078

Broken Link https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements

Mailing List https://lists.debian.org/debian-lts-announce/2022/05/msg00002.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory https://security.gentoo.org/glsa/202105-25

Third Party Advisory https://usn.ubuntu.com/usn/usn-4933-1

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 1/34 · Minimal

Exposure 15/34 · Moderate