{"id":"UBUNTU-CVE-2022-0547","details":"OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.","modified":"2026-02-04T02:33:54.751897Z","published":"2022-03-18T18:15:00Z","related":["USN-5347-1","USN-6850-1"],"upstream":["CVE-2022-0547"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-0547"},{"type":"REPORT","url":"https://community.openvpn.net/openvpn/wiki/CVE-2022-0547"},{"type":"REPORT","url":"https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-5347-1"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2022-0547"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-6850-1"}],"affected":[{"package":{"name":"openvpn","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/openvpn@2.3.2-7ubuntu3.2+esm1?arch=source&distro=trusty/esm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.3.2-7ubuntu3.2+esm1"}]}],"versions":["2.3.2-4ubuntu1","2.3.2-5ubuntu1","2.3.2-7ubuntu1","2.3.2-7ubuntu2","2.3.2-7ubuntu3","2.3.2-7ubuntu3.1","2.3.2-7ubuntu3.2"],"ecosystem_specific":{"binaries":[{"binary_name":"openvpn","binary_version":"2.3.2-7ubuntu3.2+esm1"}],"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-0547.json"}},{"package":{"name":"openvpn","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/openvpn@2.3.10-1ubuntu2.2+esm1?arch=source&distro=esm-infra/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.3.10-1ubuntu2.2+esm1"}]}],"versions":["2.3.7-1ubuntu1","2.3.7-2ubuntu1","2.3.8-1ubuntu1","2.3.10-1ubuntu1","2.3.10-1ubuntu2","2.3.10-1ubuntu2.1","2.3.10-1ubuntu2.2"],"ecosystem_specific":{"binaries":[{"binary_name":"openvpn","binary_version":"2.3.10-1ubuntu2.2+esm1"}],"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-0547.json"}},{"package":{"name":"openvpn","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/openvpn@2.4.4-2ubuntu1.7?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.4-2ubuntu1.7"}]}],"versions":["2.4.3-4ubuntu1","2.4.4-1ubuntu1","2.4.4-2ubuntu1","2.4.4-2ubuntu1.1","2.4.4-2ubuntu1.2","2.4.4-2ubuntu1.3","2.4.4-2ubuntu1.5","2.4.4-2ubuntu1.6"],"ecosystem_specific":{"binaries":[{"binary_name":"openvpn","binary_version":"2.4.4-2ubuntu1.7"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-0547.json"}},{"package":{"name":"openvpn","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/openvpn@2.4.7-1ubuntu2.20.04.4?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.7-1ubuntu2.20.04.4"}]}],"versions":["2.4.7-1ubuntu2","2.4.7-1ubuntu2.20.04.2","2.4.7-1ubuntu2.20.04.3"],"ecosystem_specific":{"binaries":[{"binary_name":"openvpn","binary_version":"2.4.7-1ubuntu2.20.04.4"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-0547.json"}},{"package":{"name":"openvpn","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/openvpn@2.5.5-1ubuntu3?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.5.5-1ubuntu3"}]}],"versions":["2.5.1-3ubuntu1","2.5.1-3ubuntu2","2.5.1-3ubuntu4","2.5.1-3ubuntu5","2.5.5-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"openvpn","binary_version":"2.5.5-1ubuntu3"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-0547.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}