CVE-2024-53846 — Improper Certificate Validation in OTP

CWE-295 — Improper Certificate Validation7 documents7 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 87.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Erlang OTP
Timeline
PublishedDec 5
Latest updateJan 14

Description

OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang, and a set of design principles for Erlang programs. A regression was introduced into the ssl application of OTP starting at OTP-25.3.2.8, OTP-26.2, and OTP-27.0, resulting in a server or client verifying the peer when incorrect extended key usage is presented (i.e., a server will verify a client if they have server auth ext key usage and vice versa).

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:LExploitability: 1.3 | Impact: 3.7

Affected Packages1 packages

â–¶CVEListV5erlang/otp>= 25.3.2.8, <= 25.3.2.16, >= 26.2, <= 26.2.5.6, >= 27.0, <= 27.1.3+2

🔴Vulnerability Details

2
OSV
CVE-2024-53846: OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang, and a set↗2024-12-05
â–¶
CVEList
ssl fails to validate incorrect extened key usage↗2024-12-05
â–¶

📋Vendor Advisories

4
Ubuntu
Erlang vulnerability↗2026-01-14
â–¶
Microsoft
ssl fails to validate incorrect extened key usage↗2024-12-10
â–¶
Red Hat
erlang: ssl fails to validate incorrect extened key usage↗2024-12-05
â–¶
Debian
CVE-2024-53846: erlang - OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a...↗2024
â–¶
CVE-2024-53846 — Improper Certificate Validation in OTP | cvebase