CVE-2020-11462 - OpenCVE

An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8.x before 2.8.3. With the full featured RPC2 interface enabled, it is possible to achieve a temporary DoS state of the management interface when sending an XML Entity Expansion (XEE) payload to the XMLRPC based RPC2 interface. The duration of the DoS state depends on available memory and CPU speed. The default restricted mode of the RPC2 interface is NOT vulnerable.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:M/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Openvpn	Openvpn Access Server

Configuration 1 [-]

OR	cpe:2.3:a:openvpn:openvpn_access_server::::::::
	cpe:2.3:a:openvpn:openvpn_access_server::::::::

No data.

References

Link	Providers
https://openvpn.net/vpn-server-resources/release-notes/#Release_notes_for_OpenVPN_Access_Server_283

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-05-04T13:45:41

Updated: 2024-08-04T11:28:14.015Z

Reserved: 2020-04-01T00:00:00

Link: CVE-2020-11462

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-05-04T14:15:13.183

Modified: 2020-05-12T13:57:42.557

Link: CVE-2020-11462

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8.x before 2.8.3. With the full featured RPC2 interface enabled, it is possible to achieve a temporary DoS state of the management interface when sending an XML Entity Expansion (XEE) payload to the XMLRPC based RPC2 interface. The duration of the DoS state depends on available memory and CPU speed. The default restricted mode of the RPC2 interface is NOT vulnerable."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-05-04T13:45:41", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://openvpn.net/vpn-server-resources/release-notes/#Release_notes_for_OpenVPN_Access_Server_283"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-11462", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8.x before 2.8.3. With the full featured RPC2 interface enabled, it is possible to achieve a temporary DoS state of the management interface when sending an XML Entity Expansion (XEE) payload to the XMLRPC based RPC2 interface. The duration of the DoS state depends on available memory and CPU speed. The default restricted mode of the RPC2 interface is NOT vulnerable."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://openvpn.net/vpn-server-resources/release-notes/#Release_notes_for_OpenVPN_Access_Server_283", "refsource": "MISC", "url": "https://openvpn.net/vpn-server-resources/release-notes/#Release_notes_for_OpenVPN_Access_Server_283"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:28:14.015Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://openvpn.net/vpn-server-resources/release-notes/#Release_notes_for_OpenVPN_Access_Server_283"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-11462", "datePublished": "2020-05-04T13:45:41", "dateReserved": "2020-04-01T00:00:00", "dateUpdated": "2024-08-04T11:28:14.015Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openvpn:openvpn_access_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "4368EC50-E4DA-42CB-8476-CF4B37DA082C", "versionEndExcluding": "2.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:openvpn:openvpn_access_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "83828BAF-83AD-448E-A2B5-EF1598429DC2", "versionEndIncluding": "2.8.3", "versionStartIncluding": "2.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8.x before 2.8.3. With the full featured RPC2 interface enabled, it is possible to achieve a temporary DoS state of the management interface when sending an XML Entity Expansion (XEE) payload to the XMLRPC based RPC2 interface. The duration of the DoS state depends on available memory and CPU speed. The default restricted mode of the RPC2 interface is NOT vulnerable."}, {"lang": "es", "value": "Se ha descubierto un problema en OpenVPN Access Server versiones anteriores a la versi\u00f3n 2.7.0 y versiones 2.8.x anteriores a la versi\u00f3n 2.8.3. Con la interfaz RPC2 con todas las funcionalidades activadas, es posible conseguir un estado DoS temporal de la interfaz de administraci\u00f3n cuando se env\u00eda una carga \u00fatil XML Entity Expansion (XEE) hacia la interfaz RPC2 basada en XMLRPC. La duraci\u00f3n del estado DoS depende de la memoria disponible y de la velocidad de una CPU. El modo restringido por defecto de la interfaz RPC2 NO es vulnerable."}], "id": "CVE-2020-11462", "lastModified": "2020-05-12T13:57:42.557", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-05-04T14:15:13.183", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://openvpn.net/vpn-server-resources/release-notes/#Release_notes_for_OpenVPN_Access_Server_283"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-776"}], "source": "nvd@nist.gov", "type": "Primary"}]}