CVE-2020-11462
HIGHOpenVPN Access Server < 2.7.0 and 2.8.x < 2.8.3 - Denial of Service via XML Entity Expansion
Title source: llmDescription
An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8.x before 2.8.3. With the full featured RPC2 interface enabled, it is possible to achieve a temporary DoS state of the management interface when sending an XML Entity Expansion (XEE) payload to the XMLRPC based RPC2 interface. The duration of the DoS state depends on available memory and CPU speed. The default restricted mode of the RPC2 interface is NOT vulnerable.
References (1)
Core 1
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://openvpn.net/vpn-server-resources/release-notes/#Release_notes_for_OpenVPN_Access_Server_283
Scores
CVSS v3
7.5
EPSS
0.0125
EPSS Percentile
65.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-776
Status
published
Products (1)
openvpn/openvpn_access_server
< 2.7.0
Published
May 04, 2020
Tracked Since
Feb 18, 2026