PT-2020-13308 · Yaws+1 · Yaws+1
Published
2020-05-15
·
Updated
2023-01-20
·
CVE-2020-12872
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Yaws versions 2.0.2 through 2.0.7
Description
The issue concerns the loading of obsolete TLS ciphers in Yaws, which can be exploited for Sweet32 attacks. This occurs when Yaws is running on an Erlang/OTP virtual machine with a version less than 21.0.
Recommendations
For Yaws versions 2.0.2 through 2.0.7, consider updating the Erlang/OTP virtual machine to version 21.0 or later to mitigate the risk of obsolete TLS ciphers being loaded.
As a temporary workaround, consider disabling the use of obsolete TLS ciphers in the
yaws config.erl configuration file until a patch is available.Exploit
Fix
Inadequate Encryption Strength
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Erlang/Otp
Yaws