CVE-2024-53846

Published: Dec 5, 2024

Modified: Dec 6, 2024

PUBLISHED

CVSS v3.1

5.5

MEDIUM

Description

OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang, and a set of design principles for Erlang programs. A regression was introduced into the ssl application of OTP starting at OTP-25.3.2.8, OTP-26.2, and OTP-27.0, resulting in a server or client verifying the peer when incorrect extended key usage is presented (i.e., a server will verify a client if they have server auth ext key usage and vice versa).

Vendor	Product	Versions
erlang	otp	affected `>= 25.3.2.8, <= 25.3.2.16` affected `>= 26.2, <= 26.2.5.6` affected `>= 27.0, <= 27.1.3`

Weaknesses (CWE)

CWE-295

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

References

https://github.com/erlang/otp/security/advisories/GHSA-qw6r-qh9v-638v

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-53846

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References