CVE-2022-0547

OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.

Database specific

{
    "cna_assigner": "OpenVPN",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/0xxx/CVE-2022-0547.json",
    "cwe_ids": [
        "CWE-305"
    ],
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "last_affected": "version 2.1 until version 2.4.12 and 2.5.6."
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ]
}

References

Affected packages

Git / github.com/openvpn/openvpn

Affected ranges

Type

GIT

Repo

https://github.com/openvpn/openvpn

Events

Introduced

4580320b22946a1dd65039a6efcd616ee5e4ac3b

Fixed

058407a89cb812115b383570b12f4c2fde500d39

Introduced

a73072d8f780e888aca7d79b993b1e59c9d8f364

Fixed

e8df2e64d6f817e63025f78b29bc624772d5c3d6

Database specific

{
    "extracted_events": [
        {
            "introduced": "2.1.0"
        },
        {
            "fixed": "2.4.12"
        },
        {
            "introduced": "2.5.0"
        },
        {
            "fixed": "2.5.6"
        }
    ],
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:openvpn:openvpn:*:*:*:*:*:*:*:*"
}

Affected versions

v2.*

v2.1.0

v2.1.1

v2.1.2

v2.1.3

v2.2-RC

v2.2-RC2

v2.2-beta4

v2.2-beta5

v2.3-alpha1

v2.3_alpha2

v2.3_alpha3

v2.3_beta1

v2.4.0

v2.4.1

v2.4.10

v2.4.11

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7

v2.4.8

v2.4.9

v2.4_alpha1

v2.4_alpha2

v2.4_beta1

v2.4_beta2

v2.4_rc1

v2.4_rc2

v2.5.0

v2.5.1

v2.5.2

v2.5.3

v2.5.4

v2.5.5

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-0547.json"