cbcvebase.
CVE-2022-37026
published 2022-09-21

CVE-2022-37026: In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification…

PriorityP355critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.14%
62.5th percentile
In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS.

Affected

8 ranges
VendorProductVersion rangeFixed in
debianerlang< erlang 1:24.3.4.5+dfsg-1 (bookworm)erlang 1:24.3.4.5+dfsg-1 (bookworm)
erlangerlang_otp< 23.3.4.1523.3.4.15
erlangerlang_otp>= 0 < 1:23.2.6+dfsg-1+deb11u11:23.2.6+dfsg-1+deb11u1
erlangerlang_otp>= 0 < 1:24.3.4.5+dfsg-11:24.3.4.5+dfsg-1
erlangerlang_otp>= 0 < 1:24.3.4.5+dfsg-11:24.3.4.5+dfsg-1
erlangerlang_otp>= 0 < 1:24.3.4.5+dfsg-11:24.3.4.5+dfsg-1
erlangerlang_otp>= 24.0 < 24.3.4.224.3.4.2
erlangerlang_otp>= 25.0 < 25.0.225.0.2

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.