CVE-2020-25200

Name of the Vulnerable Software and Affected Versions Pritunl version 1.29.2145.25

Description The issue allows attackers to enumerate valid VPN usernames via a series of "/auth/session" login attempts. Initially, the server returns error 401. However, if the username is valid, then after 20 login attempts, the server starts responding with error 400. Invalid usernames receive error 401 indefinitely. The vendor has disputed this as a vulnerability, arguing it is an intended design.

Recommendations For Pritunl version 1.29.2145.25, as a temporary workaround, consider restricting access to the /auth/session endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.