CVE-2020-35733 — Improper Certificate Validation in OTP

CWE-295 — Improper Certificate Validation6 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 55.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Erlang OTP Fedoraproject Fedora

Timeline

PublishedJan 15

Latest updateMay 24

Description

An issue was discovered in Erlang/OTP before 23.2.2. The ssl application 10.2 accepts and trusts an invalid X.509 certificate chain to a trusted root Certification Authority.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDerlang/erlang_otp< 23.2.2

▶Debianerlang/erlang_otp< 1:23.2.2+dfsg-1+3

Also affects: Fedora 33

🔴Vulnerability Details

GHSA

GHSA-xg86-vxqv-4j86: An issue was discovered in Erlang/OTP before 23↗2022-05-24

▶

CVEList

CVE-2020-35733: An issue was discovered in Erlang/OTP before 23↗2021-01-15

▶

OSV

CVE-2020-35733: An issue was discovered in Erlang/OTP before 23↗2021-01-15

▶

📋Vendor Advisories

Red Hat

erlang: accepts and trusts an invalid X.509 certificate chain↗2021-01-15

▶

Debian

CVE-2020-35733: erlang - An issue was discovered in Erlang/OTP before 23.2.2. The ssl application 10.2 ac...↗2020

▶