CVE-2024-53846

OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang, and a set of design principles for Erlang programs. A regression was introduced into the ssl application of OTP starting at OTP-25.3.2.8, OTP-26.2, and OTP-27.0, resulting in a server or client verifying the peer when incorrect extended key usage is presented (i.e., a server will verify a client if they have server auth ext key usage and vice versa).

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.3 / Impact : 3.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/erlang/otp/security/advisories/GHSA-qw6r-qh9v-638v

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) OTP es un conjunto de librerías de Erlang, que consta del sistema de ejecución de Erlang, una serie de componentes listos para usar escritos principalmente en Erlang y un conjunto de principios de diseño para programas de Erlang. Se introdujo una regresión en la aplicación SSL de OTP a partir de OTP-25.3.2.8, OTP-26.2 y OTP-27.0, lo que da como resultado que un servidor o cliente verifique al par cuando se presenta un uso incorrecto de la clave extendida (es decir, un servidor verificará a un cliente si tiene un uso de clave extendida de autenticación de servidor y viceversa).

05 Dec 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-12-05 17:15

Updated : 2026-06-17 08:09

NVD link : CVE-2024-53846

Mitre link : CVE-2024-53846

CVE.ORG link : CVE-2024-53846

JSON object : View

Products Affected

No product.

CWE

CWE-295

Improper Certificate Validation

{"id": "CVE-2024-53846", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2024-53846", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-06T16:04:29.566469Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 3.7, "exploitabilityScore": 1.3}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "erlang", "product": "otp", "versions": [{"status": "affected", "version": ">= 25.3.2.8, <= 25.3.2.16"}, {"status": "affected", "version": ">= 26.2, <= 26.2.5.6"}, {"status": "affected", "version": ">= 27.0, <= 27.1.3"}]}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "affectedData": [{"cpes": ["cpe:2.3:a:erlang:otp:*:*:*:*:*:*:*:*"], "vendor": "erlang", "product": "otp", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "25.3.2.8"}], "defaultStatus": "unknown"}]}], "published": "2024-12-05T17:15:14.477", "references": [{"url": "https://github.com/erlang/otp/security/advisories/GHSA-qw6r-qh9v-638v", "source": "security-advisories@github.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang, and a set of design principles for Erlang programs. A regression was introduced into the ssl application of OTP starting at OTP-25.3.2.8, OTP-26.2, and OTP-27.0, resulting in a server or client verifying the peer when incorrect extended key usage is presented (i.e., a server will verify a client if they have server auth ext key usage and vice versa)."}, {"lang": "es", "value": "OTP es un conjunto de librer\u00edas de Erlang, que consta del sistema de ejecuci\u00f3n de Erlang, una serie de componentes listos para usar escritos principalmente en Erlang y un conjunto de principios de dise\u00f1o para programas de Erlang. Se introdujo una regresi\u00f3n en la aplicaci\u00f3n SSL de OTP a partir de OTP-25.3.2.8, OTP-26.2 y OTP-27.0, lo que da como resultado que un servidor o cliente verifique al par cuando se presenta un uso incorrecto de la clave extendida (es decir, un servidor verificar\u00e1 a un cliente si tiene un uso de clave extendida de autenticaci\u00f3n de servidor y viceversa)."}], "lastModified": "2026-06-17T08:09:24.577", "sourceIdentifier": "security-advisories@github.com"}