CRITICAL🇵🇱 Wersja polska

CVE-2024-5594

CVSS 9.1v3.1pub. 2025-01-06upd. 2025-11-03

OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which an attacker controlling the server can use to inject unexpected arbitrary data ending up in client logs.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Openvpn

    APP
    Openvpn
    2.6.0 – 2.6.11 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
VPN
CWE
References

Related vulnerabilities

CVE-2025-12106CRITICAL9.1PL ✓ten sam produkt

OpenVPN: heap buffer over-read przy parsowaniu adresów IP

CVE-2024-27903CRITICAL9.8PL ✓ten sam produkt

OpenVPN dla Windows — ładowanie wtyczek z dowolnego katalogu

CVE-2023-46850CRITICAL9.8ten sam produkt

Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir, leaking memory buffers or rem...

CVE-2022-0547CRITICAL9.8ten sam produkt

OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when...

CVE-2018-7544CRITICAL9.1ten sam produkt

A cross-protocol scripting issue was discovered in the management interface in OpenVPN through 2.4.5. When thi...