CVE-2017-5868

MEDIUM NUCLEI

OpenVPN Access Server 2.1.4 - CRLF Injection

Title source: llm

Description

CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via "%0A" characters in the PATH_INFO to __session_start__/.

Nuclei Templates (1)

OpenVPN Access Server 2.1.4 - CRLF Injection

MEDIUMby ritikchaddha

Shodan: cpe:"cpe:2.3:a:openvpn:openvpn_access_server"

References (3)

[Exploit, Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2017/05/23/13

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1038547

[Exploit, Mitigation, Third Party Advisory] https://sysdream.com/news/lab/2017-05-05-cve-2017-5868-openvpn-access-server-crlf-injection-with-session-fixation/

Scores

CVSS v3 6.1

EPSS 0.0846

EPSS Percentile 92.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-93

Status published

Products (2)

openvpn/openvpn_access_server

n/a/n/a

Published May 26, 2017

Tracked Since Feb 18, 2026