cbcvebase.
CVE-2024-53846
published 2024-12-05

CVE-2024-53846: OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang, and a set of…

PriorityP425medium5.5CVSS 3.1
AVNACHPRHUINSCCLILAL
EPSS
0.25%
16.3th percentile
OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang, and a set of design principles for Erlang programs. A regression was introduced into the ssl application of OTP starting at OTP-25.3.2.8, OTP-26.2, and OTP-27.0, resulting in a server or client verifying the peer when incorrect extended key usage is presented (i.e., a server will verify a client if they have server auth ext key usage and vice versa).

Affected

6 ranges
VendorProductVersion rangeFixed in
debianerlang< erlang 1:27.2+dfsg-1 (forky)erlang 1:27.2+dfsg-1 (forky)
erlangotp
erlangotp
erlangotp
msrcazl3_erlang_26.2.3-2_on_azure_linux_3.0
msrcazl3_erlang_26.2.5.6-1_on_azure_linux_3.0

CVSS provenance

nvdv3.15.5MEDIUMCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L
osv5.5MEDIUM
vendor_debian5.5LOW
vendor_msrc5.5MEDIUM
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.