Vulnerability Details CVE-2023-7245
The nodejs framework in OpenVPN Connect 3.0 through 3.4.3 (Windows)/3.4.7 (macOS) was not properly configured, which allows a local user to execute arbitrary code within the nodejs process context via the ELECTRON_RUN_AS_NODE environment variable
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 40.6%
CVSS Severity
CVSS v3 Score 7.8
References
- https://openvpn.net/vpn-server-resources/openvpn-connect-for-macos-change-log/
- https://openvpn.net/vpn-server-resources/openvpn-connect-for-windows-change-log/
- https://openvpn.net/vpn-server-resources/openvpn-connect-for-macos-change-log/
- https://openvpn.net/vpn-server-resources/openvpn-connect-for-windows-change-log/
Products affected by CVE-2023-7245
-
cpe:2.3:a:openvpn:connect:3.0.0
-
cpe:2.3:a:openvpn:connect:3.0.1
-
cpe:2.3:a:openvpn:connect:3.0.2
-
cpe:2.3:a:openvpn:connect:3.1.0
-
cpe:2.3:a:openvpn:connect:3.1.1
-
cpe:2.3:a:openvpn:connect:3.1.2
-
cpe:2.3:a:openvpn:connect:3.1.3
-
cpe:2.3:a:openvpn:connect:3.2.0
-
cpe:2.3:a:openvpn:connect:3.2.1
-
cpe:2.3:a:openvpn:connect:3.2.2
-
cpe:2.3:a:openvpn:connect:3.2.3
-
cpe:2.3:a:openvpn:connect:3.2.4
-
cpe:2.3:a:openvpn:connect:3.2.5
-
cpe:2.3:a:openvpn:connect:3.2.6
-
cpe:2.3:a:openvpn:connect:3.2.7
-
cpe:2.3:a:openvpn:connect:3.3.0
-
cpe:2.3:a:openvpn:connect:3.3.6.4368
-
cpe:2.3:a:openvpn:connect:3.3.7.2979
-
cpe:2.3:a:openvpn:connect:3.4.0.3121
-
cpe:2.3:a:openvpn:connect:3.4.0.4506
-
cpe:2.3:a:openvpn:connect:3.4.3
-
cpe:2.3:a:openvpn:connect:3.4.6
-
cpe:2.3:a:openvpn:connect:3.4.7