Client Authentication Bypass in Erlang/OTP SSL, TLS, and DTLS Implementations
CVE-2022-37026

9.8CRITICAL

Key Information:

Vendor: Erlang
Status: Erlang\/otp
Vendor: CVE Published:; 21 September 2022

What is CVE-2022-37026?

Erlang/OTP versions prior to 23.3.4.15 and specific releases in the 24.x and 25.x series have a vulnerability that allows a Client Authentication Bypass in certain situations with client certification during SSL, TLS, and DTLS connections. This flaw could allow attackers to bypass authentication, potentially leading to unauthorized access to sensitive systems or data.

References

https://github.com/erlang/otp/compare/OTP-23.3.4.14...OTP...

https://erlangforums.com/c/erlang-news-announcements/91

https://erlangforums.com/t/otp-25-1-released/1854

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 21, 2022
Vulnerability Reserved
Jul 29, 2022