CVE-2024-28882 : OpenVPN from 2.6.0 through 2.6.10 in a server role accepts multiple exit notific

OpenVPN from 2.6.0 through 2.6.10 in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a closing session

Published 2024-07-08 22:15:02

Updated 2025-06-10 16:26:09

Source OpenVPN Inc.

View at NVD, CVE.org

Products affected by CVE-2024-28882

Openvpn » Openvpn » Community Edition
Versions from including (>=) 2.6.0 and before (<) 2.6.11
cpe:2.3:a:openvpn:openvpn:*:*:*:*:community:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2024-28882

EPSS FAQ

0.53%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 66 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-28882

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L	2.8	1.4	134c704f-9b21-4f2e-91b3-4a467353bcc0	2024-11-01
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: Low

CWE ids for CVE-2024-28882

CWE-772 Missing Release of Resource after Effective Lifetime

The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

Assigned by: security@openvpn.net (Secondary)

References for CVE-2024-28882

https://community.openvpn.net/openvpn/wiki/CVE-2024-28882

CVE-2024-28882 – OpenVPN Community
Vendor Advisory
https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07634.html

[Openvpn-users] OpenVPN 2.6.11 released
Mailing List

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2024-28882

Products affected by CVE-2024-28882

Exploit prediction scoring system (EPSS) score for CVE-2024-28882

CVSS scores for CVE-2024-28882

CWE ids for CVE-2024-28882

References for CVE-2024-28882