CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1000014
https://notcve.org/view.php?id=CVE-2019-1000014
04 Feb 2019 — Erlang/OTP Rebar3 version 3.7.0 through 3.7.5 contains a Signing oracle vulnerability in Package registry verification that can result in Package modifications not detected, allowing code execution. This attack appears to be exploitable via Victim fetches packages from malicious/compromised mirror. This vulnerability appears to have been fixed in 3.8.0. Erlang/OTP Rebar3, desde la versión 3.7.0 hasta la 3.7.5, contiene una vulnerabilidad de oráculo de firma en la verificación de registros de paquetes que pu... • https://github.com/erlang/rebar3/pull/1986 •
CVSS: 6.5EPSS: 83%CPEs: 5EXPL: 0CVE-2017-1000385 – erlang: TLS server vulnerable to Adaptive Chosen Ciphertext attack allowing plaintext recovery or MITM attack
https://notcve.org/view.php?id=CVE-2017-1000385
09 Dec 2017 — The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1.5 padding. This allows an attacker to decrypt content or sign messages with the server's private key (this is a variation of the Bleichenbacher attack). El servidor TLS en Erlang/OTP responde con alertas TLS diferentes a los diferentes tipos de error en el relleno RSA PKCS #1 1.5. Esto permite que un atacante descifre contenido o firme mensajes con la clave privada del servidor (esta es una variación de... • http://erlang.org/pipermail/erlang-questions/2017-November/094255.html • CWE-203: Observable Discrepancy CWE-300: Channel Accessible by Non-Endpoint •
CVSS: 9.8EPSS: 0%CPEs: 67EXPL: 0CVE-2016-10253 – Ubuntu Security Notice USN-3571-1
https://notcve.org/view.php?id=CVE-2016-10253
18 Mar 2017 — An issue was discovered in Erlang/OTP 18.x. Erlang's generation of compiled regular expressions is vulnerable to a heap overflow. Regular expressions using a malformed extpattern can indirectly specify an offset that is used as an array index. This ordinal permits arbitrary regions within the erts_alloc arena to be both read and written to. Se ha descubierto un problema en Erlang/OTP 18.x. • https://github.com/erlang/otp/pull/1108 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 0CVE-2015-2774 – Ubuntu Security Notice USN-3571-1
https://notcve.org/view.php?id=CVE-2015-2774
07 Apr 2016 — Erlang/OTP before 18.0-rc1 does not properly check CBC padding bytes when terminating connections, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE). Erlang/OTP en versiones anteriores a 18.0-rc1 no comprueba correctamente los bytes de relleno CBC cuando finaliza las conexiones, lo que hace más fácil para atacantes man-in-the-middle obtener datos en texto plano a través de un ataque padding-oracle, una variante... • http://lists.opensuse.org/opensuse-updates/2016-02/msg00124.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2014-1693 – Ubuntu Security Notice USN-3571-1
https://notcve.org/view.php?id=CVE-2014-1693
08 Dec 2014 — Multiple CRLF injection vulnerabilities in the FTP module in Erlang/OTP R15B03 allow context-dependent attackers to inject arbitrary FTP commands via CRLF sequences in the (1) user, (2) account, (3) cd, (4) ls, (5) nlist, (6) rename, (7) delete, (8) mkdir, (9) rmdir, (10) recv, (11) recv_bin, (12) recv_chunk_start, (13) send, (14) send_bin, (15) send_chunk_start, (16) append_chunk_start, (17) append, or (18) append_bin command. Múltiples vulnerabilidades de inyección CRLF en el módulo FTP en Erlang/OTP R15B... • http://advisories.mageia.org/MGASA-2014-0553.html •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 1CVE-2014-2829
https://notcve.org/view.php?id=CVE-2014-2829
11 Apr 2014 — Erlang Solutions MongooseIM through 1.3.1 rev. 2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack. Erlang Solutions MongooseIM hasta 1.3.1 rev. 2 no restringe debidamente el procesamiento de elementos XML comprimidos, lo que permite a atacantes remotos causar una denegación de servicio (consumo de recursos) a través de una cadena XMPP manipulada, también ... • http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.8EPSS: 2%CPEs: 12EXPL: 0CVE-2011-0766
https://notcve.org/view.php?id=CVE-2011-0766
31 May 2011 — The random number generator in the Crypto application before 2.0.2.2, and SSH before 2.0.5, as used in the Erlang/OTP ssh library before R14B03, uses predictable seeds based on the current time, which makes it easier for remote attackers to guess DSA host and SSH session keys. El generador de números aleatorios de la aplicación Crypto en versiones anteriores a la 2.0.2.2, y SSH anteriores a 2.0.5, como es usado en la librería Erlang/OTP ssh en versiones anteriores a la R14B03, utiliza semillas predecibles b... • http://secunia.com/advisories/44709 • CWE-310: Cryptographic Issues •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2009-0130
https://notcve.org/view.php?id=CVE-2009-0130
15 Jan 2009 — lib/crypto/c_src/crypto_drv.c in erlang does not properly check the return value from the OpenSSL DSA_do_verify function, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a package maintainer disputes this issue, reporting that there is a proper check within the only code that uses the applicable part of crypto_drv.c, and thus "this report is invalid. ** CUESTIONADA ** lib/crypto/c_src/crypto_d... • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511520 • CWE-287: Improper Authentication •