CVE-2024-8474

Name of the Vulnerable Software and Affected Versions OpenVPN Connect versions prior to 3.5.0

Description The issue is related to the logging of clear-text private keys in the application log, which can be used by an unauthorized actor to decrypt VPN traffic. This could allow attackers to access users' private keys, potentially compromising the confidentiality of their VPN traffic. With over 10 million downloads, the potential impact is significant.

Recommendations For OpenVPN Connect versions prior to 3.5.0, update to version 3.5.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the application log to minimize the risk of exploitation. Additionally, users should check their logs for any signs of unauthorized access.