CVE-2024-53846

Name of the Vulnerable Software and Affected Versions Erlang OTP versions 25.3.2.8 through 27.0 Erlang OTP version 26.2 Erlang OTP versions prior to 27.1.3

Description A regression in the ssl application of Erlang OTP causes a server or client to verify the peer even when incorrect extended key usage is presented. This issue can be exploited by a remote attacker to conduct a man-in-the-middle (MitM) attack, allowing unauthorized access. The vulnerability is related to errors in the certificate authentication procedure and incorrect certificate checking.

Recommendations For Erlang OTP versions 25.3.2.8 through 27.0, upgrade to a version later than 27.1.3. For Erlang OTP version 26.2, upgrade to a version later than 27.1.3. For Erlang OTP versions prior to 27.1.3, upgrade to version 27.1.3 or later. As a temporary workaround, consider restricting the use of the ssl application until a patch is available.