{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-37026", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T10:21:32.690Z", "dateReserved": "2022-07-29T00:00:00", "datePublished": "2022-09-21T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-07-11T00:00:00"}, "descriptions": [{"lang": "en", "value": "In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/erlang/otp/compare/OTP-23.3.4.14...OTP-23.3.4.15"}, {"url": "https://erlangforums.com/c/erlang-news-announcements/91"}, {"url": "https://erlangforums.com/t/otp-25-1-released/1854"}, {"name": "[debian-lts-announce] 20230711 [SECURITY] [DLA 3491-1] erlang security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00012.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:21:32.690Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/erlang/otp/compare/OTP-23.3.4.14...OTP-23.3.4.15", "tags": ["x_transferred"]}, {"url": "https://erlangforums.com/c/erlang-news-announcements/91", "tags": ["x_transferred"]}, {"url": "https://erlangforums.com/t/otp-25-1-released/1854", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20230711 [SECURITY] [DLA 3491-1] erlang security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00012.html"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*", "matchCriteriaId": "CD5D60C5-7E93-4B91-A04C-A416D11299C1", "versionEndExcluding": "23.3.4.15", "vulnerable": true}, {"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*", "matchCriteriaId": "B1058D97-F099-4FF9-A84F-3EE257E807C6", "versionEndExcluding": "24.3.4.2", "versionStartIncluding": "24.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*", "matchCriteriaId": "B6091705-FAC3-4A2B-B5A6-93AFC892526A", "versionEndExcluding": "25.0.2", "versionStartIncluding": "25.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS."}, {"lang": "es", "value": "En Erlang/OTP versiones anteriores a 23.3.4.15, 24.x anteriores a 24.3.4.2 y 25.x anteriores a 25.0.2, se presenta una Omisi\u00f3n de Autenticaci\u00f3n de Cliente en determinadas situaciones de certificaci\u00f3n de cliente para SSL, TLS y DTLS"}], "id": "CVE-2022-37026", "lastModified": "2023-08-08T14:22:24.967", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-21T14:15:11.223", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://erlangforums.com/c/erlang-news-announcements/91"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://erlangforums.com/t/otp-25-1-released/1854"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/erlang/otp/compare/OTP-23.3.4.14...OTP-23.3.4.15"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00012.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:8857", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "impact": "moderate", "package": "erlang-0:23.3.4.18-1.el8ost", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2022-12-07T00:00:00Z"}], "bugzilla": {"description": "erlang/otp: Client Authentication Bypass", "id": "2141802", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141802"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "status": "verified"}, "cwe": "CWE-305", "details": ["In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS.", "A Client Authentication Bypass was found in Erlang/OTP. This issue occurs in certain client-certification situations for SSL, TLS, and DTLS."], "name": "CVE-2022-37026", "package_state": [{"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "impact": "moderate", "package_name": "erlang", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Will not fix", "impact": "moderate", "package_name": "erlang", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:17.0", "fix_state": "Not affected", "impact": "moderate", "package_name": "erlang", "product_name": "Red Hat OpenStack Platform 17.0"}], "public_date": "2022-09-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-37026\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-37026\nhttps://erlangforums.com/t/otp-25-1-released/1854\nhttps://github.com/erlang/otp/releases/tag/OTP-25.1\nhttps://www.erlang.org/patches/otp-25.1"], "statement": "Some releases of Red Hat OpenStack Platform ship an affected version of the Erlang libraries, however RHOSP is configured to use application-level shared secret authentication during TLS sessions. This makes it unlikely to be exploitable as none of the vulnerable codepaths are exposed and no client certificate is used for authentication. For this reason the impact to Red Hat OpenStack Platform has been downgraded to Moderate.", "threat_severity": "Critical", "upstream_fix": "erlang/otp 25.1"}