CVE-2024-8474: 
NixOS vulnerability analysis and mitigation

OpenVPN Connect, a popular VPN client application with over 10 million downloads on the Google Play Store, was found to contain a critical security vulnerability (CVE-2024-8474) in versions prior to 3.5.0. The vulnerability involves the exposure of configuration profile's private keys in clear text within the application log (Security Online, NVD).

The vulnerability is classified as CWE-212 (Improper Removal of Sensitive Information Before Storage or Transfer). The CVSS v3.1 base score is 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating a high-severity vulnerability with network accessibility and no required privileges or user interaction (NVD).

The vulnerability allows unauthorized actors to potentially decrypt VPN traffic by accessing the clear-text private keys stored in the application logs. This effectively compromises the security of the VPN connection, rendering the VPN protection useless for affected users (Security Online).

Users are strongly advised to update to OpenVPN Connect version 3.5.0 or later, which addresses the private key exposure vulnerability. Additionally, users should review their application logs for any suspicious activity and consider changing their VPN credentials as a precautionary measure (Security Online).