CVE-2017-5868
Summary
| CVE | CVE-2017-5868 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2017-05-26 01:29:00 UTC |
| Updated | 2017-06-06 14:10:00 UTC |
| Description | CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via "%0A" characters in the PATH_INFO to __session_start__/. |
Risk And Classification
Problem Types: CWE-93
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Openvpn | Openvpn Access Server | 2.1.4 | All | All | All |
| Application | Openvpn | Openvpn Access Server | 2.1.4 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| OpenVPN Access Server Input Validation Flaw Lets Remote Users Conduct Session Fixation Attacks to Hijack a Target User's Session - SecurityTracker | SECTRACK | www.securitytracker.com | Third Party Advisory, VDB Entry |
| oss-security - [CVE-2017-5868] OpenVPN Access Server : CRLF injection with Session fixation | MLIST | www.openwall.com | Exploit, Mailing List, Third Party Advisory |
| [CVE-2017-5868] OpenVPN Access Server : CRLF injection with Session fixation - Sysdream | MISC | sysdream.com | Exploit, Mitigation, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.