CVE-2024-8474

Summary

OpenVPN Connect before version 3.5.0 can contain the configuration profile's clear-text private key which is logged in the application log, which an unauthorized actor can use to decrypt the VPN traffic

Affected Software

VendorProductVersion RangeStatus
OpenVPNOpenVPN Connect0 <= 3.5.0affected

Weaknesses

  • CWE-212: CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References