CVE-2022-0547

CRITICAL

OpenVPN <2.4.13 or 2.5.7 - Auth Bypass

Title source: llm

Description

OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.

References (7)

[Vendor Advisory] https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements

[Vendor Advisory] https://community.openvpn.net/openvpn/wiki/CVE-2022-0547

[Patch, Vendor Advisory] https://openvpn.net/community-downloads/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R36OYC5SJ6FLPVAYJYYT4MOJ2I7MGYFF/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GFXJ35WKPME4HYNQCQNAJHLCZOJL2SAE/

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/05/msg00002.html

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/03/msg00005.html

Scores

CVSS v3 9.8

EPSS 0.0057

EPSS Percentile 68.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-305 CWE-287

Status published

Products (4)

debian/debian_linux 9.0

fedoraproject/fedora 34

fedoraproject/fedora 36

openvpn/openvpn 2.1.0 - 2.4.12

Published Mar 18, 2022

Tracked Since Feb 18, 2026