CVE-2023-7235 : The OpenVPN GUI installer before version 2.6.9 did not set the proper access con

The OpenVPN GUI installer before version 2.6.9 did not set the proper access control restrictions to the installation directory of OpenVPN binaries when using a non-standard installation path, which allows an attacker to replace binaries to run arbitrary executables.

Published 2024-02-21 11:15:08

Updated 2024-08-26 17:35:03

Source OpenVPN Inc.

View at NVD, CVE.org

Products affected by CVE-2023-7235

Please log in to view affected product information.

Exploit prediction scoring system (EPSS) score for CVE-2023-7235

EPSS FAQ

0.05%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 13 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-7235

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
8.4	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	2.5	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2024-08-26
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2023-7235

CWE-276 Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

Assigned by: security@openvpn.net (Secondary)

References for CVE-2023-7235

https://community.openvpn.net/openvpn/wiki/CVE-2023-7235

Just a moment...

Jump to

Vulnerability Details : CVE-2023-7235

Products affected by CVE-2023-7235

Exploit prediction scoring system (EPSS) score for CVE-2023-7235

CVSS scores for CVE-2023-7235

CWE ids for CVE-2023-7235

References for CVE-2023-7235