{"id":"CVE-2022-0547","details":"OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.","modified":"2026-03-20T11:46:11.429623Z","published":"2022-03-18T18:15:12.017Z","related":["MGASA-2022-0123","SUSE-SU-2022:1024-1","SUSE-SU-2022:1029-1","SUSE-SU-2022:14937-1","SUSE-SU-2022:1934-1","openSUSE-SU-2022:1029-1","openSUSE-SU-2024:11968-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00005.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GFXJ35WKPME4HYNQCQNAJHLCZOJL2SAE/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R36OYC5SJ6FLPVAYJYYT4MOJ2I7MGYFF/"},{"type":"ADVISORY","url":"https://community.openvpn.net/openvpn/wiki/CVE-2022-0547"},{"type":"ADVISORY","url":"https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00002.html"},{"type":"FIX","url":"https://openvpn.net/community-downloads/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openvpn/openvpn","events":[{"introduced":"4580320b22946a1dd65039a6efcd616ee5e4ac3b"},{"fixed":"058407a89cb812115b383570b12f4c2fde500d39"},{"introduced":"a73072d8f780e888aca7d79b993b1e59c9d8f364"},{"fixed":"e8df2e64d6f817e63025f78b29bc624772d5c3d6"}],"database_specific":{"versions":[{"introduced":"2.1.0"},{"fixed":"2.4.12"},{"introduced":"2.5.0"},{"fixed":"2.5.6"}]}}],"versions":["v2.1.0","v2.1.1","v2.1.2","v2.1.3","v2.2-RC","v2.2-RC2","v2.2-beta4","v2.2-beta5","v2.3-alpha1","v2.3_alpha2","v2.3_alpha3","v2.3_beta1","v2.4.0","v2.4.1","v2.4.10","v2.4.11","v2.4.2","v2.4.3","v2.4.4","v2.4.5","v2.4.6","v2.4.7","v2.4.8","v2.4.9","v2.4_alpha1","v2.4_alpha2","v2.4_beta1","v2.4_beta2","v2.4_rc1","v2.4_rc2","v2.5.0","v2.5.1","v2.5.2","v2.5.3","v2.5.4","v2.5.5","v2.5_beta1","v2.5_beta2","v2.5_beta3","v2.5_beta4","v2.5_rc1","v2.5_rc2","v2.5_rc3"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"34"}]},{"events":[{"introduced":"0"},{"last_affected":"36"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-0547.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}