#VU102440 Inclusion of Sensitive Information in Log Files in OpenVPN Connect on Android - CVE-2024-8474
Published: January 8, 2025 / Updated: February 5, 2025
Vulnerability identifier: #VU102440
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-8474
CWE-ID: CWE-532
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
OpenVPN Connect on Android
OpenVPN Connect on Android
Software vendor:
OpenVPN
OpenVPN
Description
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to application writes the configuration profile's clear-text private key in the application log. A local application installed on the device can read the log file and gain obtain the OpenVPN private key. This key can be used to decrypt traffic between client and the VPN server.
Remediation
Install updates from vendor's website.