CVE-2022-37026 — Improper Authentication in OTP

CWE-287 — Improper Authentication CWE-305 — Authentication Bypass by Primary Weakness7 documents7 sources

Severity

9.8CRITICALNVD

EPSS

0.2%

top 59.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Erlang OTP

Timeline

PublishedSep 21

Latest updateMay 8

Description

In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDerlang/erlang_otp24.0 — 24.3.4.2+2

▶Debianerlang/erlang_otp< 1:23.2.6+dfsg-1+deb11u1+3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-f399-ff4w-62fm: In Erlang/OTP before 23↗2022-09-22

▶

OSV

CVE-2022-37026: In Erlang/OTP before 23↗2022-09-21

▶

CVEList

CVE-2022-37026: In Erlang/OTP before 23↗2022-09-21

▶

📋Vendor Advisories

Ubuntu

Erlang vulnerability↗2023-05-08

▶

Red Hat

erlang/otp: Client Authentication Bypass↗2022-09-21

▶

Debian

CVE-2022-37026: erlang - In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, th...↗2022

▶