CVE-2023-46849

moderate-risk
Published 2023-11-11

Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by zero behaviour which could cause an application crash, leading to a denial of service.

Do I need to act?

-
0.48% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (6)

Openvpn Access Server
Openvpn Access Server
Openvpn Access Server

Affected Vendors

Debian Openvpn Fedoraproject

References (10)

Vendor Advisory https://community.openvpn.net/openvpn/wiki/CVE-2023-46849
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...
Vendor Advisory https://openvpn.net/security-advisory/access-server-security-update-cve-2023-468...
Third Party Advisory https://www.debian.org/security/2023/dsa-5555
Vendor Advisory https://community.openvpn.net/openvpn/wiki/CVE-2023-46849
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...
Vendor Advisory https://openvpn.net/security-advisory/access-server-security-update-cve-2023-468...
Third Party Advisory https://www.debian.org/security/2023/dsa-5555
41
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 2/34 · Minimal
Exposure 13/34 · Low