Main Vulnerability Database Vulnerabilities #VU102440

Inclusion of Sensitive Information in Log Files in OpenVPN Connect on Android - CVE-2024-8474

Published: January 8, 2025 / Updated: February 5, 2025

Vulnerability identifier: #VU102440

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-8474

CWE-ID: CWE-532

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: OpenVPN

Affected software:
OpenVPN Connect on Android

Detailed vulnerability description

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to application writes the configuration profile's clear-text private key in the application log. A local application installed on the device can read the log file and gain obtain the OpenVPN private key. This key can be used to decrypt traffic between client and the VPN server.

How to mitigate CVE-2024-8474

Install updates from vendor's website.

Inclusion of Sensitive Information in Log Files in OpenVPN Connect on Android - CVE-2024-8474

Detailed vulnerability description

How to mitigate CVE-2024-8474

Sources

Please verify you're human