OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang, and a set of design principles for Erlang programs. A regression was introduced into the ssl application of OTP starting at OTP-25.3.2.8, OTP-26.2, and OTP-27.0, resulting in a server or client verifying the peer when incorrect extended key usage is presented (i.e., a server will verify a client if they have server auth ext key usage and vice versa).
History

Sat, 07 Dec 2024 01:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Fri, 06 Dec 2024 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Erlang
Erlang otp
CPEs cpe:2.3:a:erlang:otp:*:*:*:*:*:*:*:*
Vendors & Products Erlang
Erlang otp
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 05 Dec 2024 17:15:00 +0000

Type Values Removed Values Added
Description OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang, and a set of design principles for Erlang programs. A regression was introduced into the ssl application of OTP starting at OTP-25.3.2.8, OTP-26.2, and OTP-27.0, resulting in a server or client verifying the peer when incorrect extended key usage is presented (i.e., a server will verify a client if they have server auth ext key usage and vice versa).
Title ssl fails to validate incorrect extened key usage
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-12-05T17:02:59.370Z

Updated: 2024-12-06T16:26:57.528Z

Reserved: 2024-11-22T17:30:02.140Z

Link: CVE-2024-53846

cve-icon Vulnrichment

Updated: 2024-12-06T16:06:42.817Z

cve-icon NVD

Status : Received

Published: 2024-12-05T17:15:14.477

Modified: 2024-12-05T17:15:14.477

Link: CVE-2024-53846

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-12-05T17:02:59Z

Links: CVE-2024-53846 - Bugzilla