{"id":"CVE-2020-15078","details":"OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.","modified":"2026-05-28T04:05:27.490059408Z","published":"2021-04-26T14:15:08.623Z","related":["SUSE-SU-2021:14723-1","SUSE-SU-2021:1576-1","SUSE-SU-2021:1577-1","openSUSE-SU-2021:0734-1","openSUSE-SU-2024:11128-1"],"database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:20.10:*:*:*:*:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:21.04:*:*:*:*:*:*:*"],"source":"CPE_STRING","extracted_events":[{"last_affected":"18.04"},{"last_affected":"20.04"},{"last_affected":"20.10"},{"last_affected":"21.04"}],"vendor_product":"canonical:ubuntu_linux"},{"cpes":["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"],"source":"CPE_STRING","extracted_events":[{"last_affected":"9.0"}],"vendor_product":"debian:debian_linux"},{"cpes":["cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*"],"source":"CPE_STRING","extracted_events":[{"last_affected":"32"},{"last_affected":"33"},{"last_affected":"34"}],"vendor_product":"fedoraproject:fedora"}]},"references":[{"type":"WEB","url":"https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GJUXEYHUPREEBPX23VPEKMFXUPVO3PMU/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JGEGLC4YGBDN5CGHTNWN2GH6DJJA36T2/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLDB3OBQ3AODYYRN7NRCABV6I4AUFAT6/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00002.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202105-25"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/usn/usn-4933-1"},{"type":"FIX","url":"https://community.openvpn.net/openvpn/wiki/CVE-2020-15078"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openvpn/openvpn","events":[{"introduced":"0"},{"fixed":"092734634796e9637920e029fea716afc146cd82"},{"introduced":"a73072d8f780e888aca7d79b993b1e59c9d8f364"},{"fixed":"23ae78e657052748be68b623ca8122e4103dc7e0"}],"database_specific":{"cpe":"cpe:2.3:a:openvpn:openvpn:*:*:*:*:*:*:*:*","source":"CPE_RANGE","extracted_events":[{"introduced":"0"},{"fixed":"2.4.11"},{"introduced":"2.5.0"},{"fixed":"2.5.2"}]}}],"versions":["v2.5.1","v2.4.10","v2.5.0","v2.4.9","v2.4.8","v2.4.7","v2.4.6","v2.4.5","v2.4.4","v2.4.3","v2.4.2","v2.4.1","v2.4.0","v2.4_rc2","v2.4_rc1","v2.4_beta2","v2.4_beta1","v2.4_alpha2","v2.4_alpha1","v2.3_beta1","v2.3_alpha3","v2.3_alpha2","v2.3-alpha1","v2.2-RC2","v2.2-RC","v2.2-beta5","v2.2-beta4","v2.1.3","v2.1.2","v2.1.1","v2.1.0","v2.1_rc22","v2.1_rc21","v2.1_rc20","v2.1_rc19","v2.1_rc18","v2.1_rc17","v2.1_rc16","v2.1_rc15","v2.1_rc14","v2.1_rc13","v2.1_rc12","v2.1_rc11","v2.1_rc10","v2.1_rc9","v2.1_rc8","v2.1_rc7","v2.1_rc6","v2.1_rc5","v2.1_rc4","v2.1_rc3","v2.1_rc2","v2.1_rc1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-15078.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}