{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8474", "assignerOrgId": "36a55730-e66d-4d39-8ca6-3c3b3017965e", "state": "PUBLISHED", "assignerShortName": "OpenVPN", "dateReserved": "2024-09-05T08:38:27.571Z", "datePublished": "2025-01-06T14:33:26.129Z", "dateUpdated": "2025-01-06T16:54:38.487Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "36a55730-e66d-4d39-8ca6-3c3b3017965e", "shortName": "OpenVPN", "dateUpdated": "2025-01-06T14:33:26.129Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-212", "description": "CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer", "type": "CWE"}]}], "affected": [{"vendor": "OpenVPN", "product": "OpenVPN Connect", "platforms": ["Android"], "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "3.5.0", "versionType": "all releases"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "OpenVPN Connect before version 3.5.0 can contain the configuration profile's clear-text private key which is logged in the application log, which an unauthorized actor can use to decrypt the VPN traffic"}], "references": [{"url": "https://openvpn.net/connect-docs/android-release-notes.html", "tags": ["release-notes"]}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-01-06T16:53:43.249831Z", "id": "CVE-2024-8474", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-06T16:54:38.487Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-8474", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-06T16:53:43.249831Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-06T16:54:33.381Z"}}], "cna": {"affected": [{"vendor": "OpenVPN", "product": "OpenVPN Connect", "versions": [{"status": "affected", "version": "0", "versionType": "all releases", "lessThanOrEqual": "3.5.0"}], "platforms": ["Android"], "defaultStatus": "unaffected"}], "references": [{"url": "https://openvpn.net/connect-docs/android-release-notes.html", "tags": ["release-notes"]}], "descriptions": [{"lang": "en", "value": "OpenVPN Connect before version 3.5.0 can contain the configuration profile's clear-text private key which is logged in the application log, which an unauthorized actor can use to decrypt the VPN traffic"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-212", "description": "CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer"}]}], "providerMetadata": {"orgId": "36a55730-e66d-4d39-8ca6-3c3b3017965e", "shortName": "OpenVPN", "dateUpdated": "2025-01-06T14:33:26.129Z"}}}, "cveMetadata": {"cveId": "CVE-2024-8474", "state": "PUBLISHED", "dateUpdated": "2025-01-06T16:54:38.487Z", "dateReserved": "2024-09-05T08:38:27.571Z", "assignerOrgId": "36a55730-e66d-4d39-8ca6-3c3b3017965e", "datePublished": "2025-01-06T14:33:26.129Z", "assignerShortName": "OpenVPN"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openvpn:connect:*:*:*:*:*:android:*:*", "matchCriteriaId": "3C5CCC69-B938-4CCE-98B3-0B8064C987F1", "versionEndExcluding": "3.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenVPN Connect before version 3.5.0 can contain the configuration profile's clear-text private key which is logged in the application log, which an unauthorized actor can use to decrypt the VPN traffic"}, {"lang": "es", "value": "OpenVPN Connect anterior a la versi\u00f3n 3.5.0 puede contener la clave privada en texto plano del perfil de configuraci\u00f3n que se registra en el registro de la aplicaci\u00f3n, que un actor no autorizado puede usar para descifrar el tr\u00e1fico VPN."}], "id": "CVE-2024-8474", "lastModified": "2025-06-10T16:31:24.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-01-06T15:15:14.983", "references": [{"source": "security@openvpn.net", "tags": ["Release Notes"], "url": "https://openvpn.net/connect-docs/android-release-notes.html"}], "sourceIdentifier": "security@openvpn.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-212"}], "source": "security@openvpn.net", "type": "Secondary"}]}

{}

{}