CVE-2024-53846: ssl fails to validate incorrect extened key usage

5.5 CVSS

Description

OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang, and a set of design principles for Erlang programs. A regression was introduced into the ssl application of OTP starting at OTP-25.3.2.8, OTP-26.2, and OTP-27.0, resulting in a server or client verifying the peer when incorrect extended key usage is presented (i.e., a server will verify a client if they have server auth ext key usage and vice versa).

Classification

CVE ID: CVE-2024-53846

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.5

Affected Products

Vendor: erlang

Product: otp

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.44% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://github.com/erlang/otp/security/advisories/GHSA-qw6r-qh9v-638v

Timeline

2024-12-06 00:32:16 UTC
CVE

ssl fails to validate incorrect extened key usage