Regression Introduces SSL hijacking Vulnerability in OTP
CVE-2024-53846

5.5MEDIUM

Key Information:

Vendor: Erlang
Status: Otp
Vendor: CVE Published:; 5 December 2024

What is CVE-2024-53846?

OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang, and a set of design principles for Erlang programs. A regression was introduced into the ssl application of OTP starting at OTP-25.3.2.8, OTP-26.2, and OTP-27.0, resulting in a server or client verifying the peer when incorrect extended key usage is presented (i.e., a server will verify a client if they have server auth ext key usage and vice versa).

Affected Version(s)

otp >= 25.3.2.8, <= 25.3.2.16 <= 25.3.2.8, 25.3.2.16

otp >= 26.2, <= 26.2.5.6 <= 26.2, 26.2.5.6

otp >= 27.0, <= 27.1.3 <= 27.0, 27.1.3

References

https://github.com/erlang/otp/security/advisories/GHSA-qw...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 5, 2024
Vulnerability Reserved
Nov 22, 2024