Channel Accessible by Non-Endpoint

CVE-2023-32634

High

7.8/10

Summary

An authentication bypass vulnerability exists in the CiRpcServerThread() functionality of SoftEther VPN 5.01.9674 and 4.41-9782-beta. An attacker can perform a local man-in-the-middle attack to trigger this vulnerability.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-300 - Channel Accessible by Non-Endpoint

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

References

Advisory Timeline

Published Oct 12, 2023

Channel Accessible by Non-Endpoint

CVE-2023-32634

Summary

CWE-300 - Channel Accessible by Non-Endpoint

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS