CVE Vulnerability

CVE-2020-11462

An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8.x before 2.8.3. With the full featured RPC2 interface enabled, it is possible to achieve a temporary DoS state of the management interface when sending an XML Entity Expansion (XEE) payload to the XMLRPC based RPC2 interface. The duration of the DoS state depends on available memory and CPU speed. The default restricted mode of the RPC2 interface is NOT vulnerable.

4.3 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8.6 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

Scope

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://openvpn.net/vpn-server-resources/release-notes/#Release_notes_for_OpenVPN_Access_Server_283 Release Notes Vendor Advisory
Configurations

Configuration 1

cpe:2.3:a:openvpn:openvpn_access_server:*:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn_access_server:*:*:*:*:*:*:*:*
Information

Published : 2020-05-04 02:15

Updated : 2020-05-12 01:57

NVD link : CVE-2020-11462

Mitre link : CVE-2020-11462

Products Affected
No products.
CWE
CWE-776

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')