CVE-2024-8474

{"id": "CVE-2024-8474", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-01-06T15:15:14.983", "references": [{"url": "https://openvpn.net/connect-docs/android-release-notes.html", "tags": ["Release Notes"], "source": "security@openvpn.net"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@openvpn.net", "description": [{"lang": "en", "value": "CWE-212"}]}], "descriptions": [{"lang": "en", "value": "OpenVPN Connect before version 3.5.0 can contain the configuration profile's clear-text private key which is logged in the application log, which an unauthorized actor can use to decrypt the VPN traffic"}, {"lang": "es", "value": "OpenVPN Connect anterior a la versi\u00f3n 3.5.0 puede contener la clave privada en texto plano del perfil de configuraci\u00f3n que se registra en el registro de la aplicaci\u00f3n, que un actor no autorizado puede usar para descifrar el tr\u00e1fico VPN."}], "lastModified": "2025-06-10T16:31:24.740", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openvpn:connect:*:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "3C5CCC69-B938-4CCE-98B3-0B8064C987F1", "versionEndExcluding": "3.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@openvpn.net"}