CVE-2020-35733
published 2021-01-15CVE-2020-35733: An issue was discovered in Erlang/OTP before 23.2.2. The ssl application 10.2 accepts and trusts an invalid X.509 certificate chain to a trusted root…
PriorityP337high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.15%
63.0th percentile
An issue was discovered in Erlang/OTP before 23.2.2. The ssl application 10.2 accepts and trusts an invalid X.509 certificate chain to a trusted root Certification Authority.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | erlang | < erlang 1:23.2.2+dfsg-1 (bookworm) | erlang 1:23.2.2+dfsg-1 (bookworm) |
| erlang | erlang_otp | < 23.2.2 | 23.2.2 |
| erlang | erlang_otp | >= 0 < 1:23.2.2+dfsg-1 | 1:23.2.2+dfsg-1 |
| erlang | erlang_otp | >= 0 < 1:23.2.2+dfsg-1 | 1:23.2.2+dfsg-1 |
| erlang | erlang_otp | >= 0 < 1:23.2.2+dfsg-1 | 1:23.2.2+dfsg-1 |
| erlang | erlang_otp | >= 0 < 1:23.2.2+dfsg-1 | 1:23.2.2+dfsg-1 |
| fedoraproject | fedora | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xg86-vxqv-4j86: An issue was discovered in Erlang/OTP before 23
ghsa_unreviewed·2022-05-24
CVE-2020-35733 [HIGH] CWE-295 GHSA-xg86-vxqv-4j86: An issue was discovered in Erlang/OTP before 23
An issue was discovered in Erlang/OTP before 23.2.2. The ssl application 10.2 accepts and trusts an invalid X.509 certificate chain to a trusted root Certification Authority.
OSV
CVE-2020-35733: An issue was discovered in Erlang/OTP before 23
osv·2021-01-15·CVSS 7.5
CVE-2020-35733 [HIGH] CVE-2020-35733: An issue was discovered in Erlang/OTP before 23
An issue was discovered in Erlang/OTP before 23.2.2. The ssl application 10.2 accepts and trusts an invalid X.509 certificate chain to a trusted root Certification Authority.
Red Hat
erlang: accepts and trusts an invalid X.509 certificate chain
vendor_redhat·2021-01-15·CVSS 7.5
CVE-2020-35733 [HIGH] CWE-295 erlang: accepts and trusts an invalid X.509 certificate chain
erlang: accepts and trusts an invalid X.509 certificate chain
An issue was discovered in Erlang/OTP before 23.2.2. The ssl application 10.2 accepts and trusts an invalid X.509 certificate chain to a trusted root Certification Authority.
A flaw was found in the OTP component of Erlang. The SSL application accepts and trusts invalid X.509 certificate chains. An attacker, able to create a fake certificate chain, could create a man-in-the-middle attack. The highest threat from this vulnerability is to data confidentiality.
Statement: Red Hat CloudForms 5.10 ships affected erlang-OTP component but the product does not use it in a vulnerable way; therefore, the impact is low. The newer version of CloudForms 5.11 does not include the affected component.
Red Hat Ansible Tower 3.6 ships 20.3.8.2
Debian
CVE-2020-35733: erlang - An issue was discovered in Erlang/OTP before 23.2.2. The ssl application 10.2 ac...
vendor_debian·2020·CVSS 7.5
CVE-2020-35733 [HIGH] CVE-2020-35733: erlang - An issue was discovered in Erlang/OTP before 23.2.2. The ssl application 10.2 ac...
An issue was discovered in Erlang/OTP before 23.2.2. The ssl application 10.2 accepts and trusts an invalid X.509 certificate chain to a trusted root Certification Authority.
Scope: local
bookworm: resolved (fixed in 1:23.2.2+dfsg-1)
bullseye: resolved (fixed in 1:23.2.2+dfsg-1)
forky: resolved (fixed in 1:23.2.2+dfsg-1)
sid: resolved (fixed in 1:23.2.2+dfsg-1)
trixie: resolved (fixed in 1:23.2.2+dfsg-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://erlang.org/pipermail/erlang-questions/2021-January/100357.htmlhttps://github.com/erlang/otp/releaseshttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E4CXZWUOZELT7A5ZN6DJRQHX7L35V4PW/https://www.erlang.org/downloadshttps://www.erlang.org/newshttps://erlang.org/pipermail/erlang-questions/2021-January/100357.htmlhttps://github.com/erlang/otp/releaseshttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E4CXZWUOZELT7A5ZN6DJRQHX7L35V4PW/https://www.erlang.org/downloadshttps://www.erlang.org/news
2021-01-15
Published