OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang, and a set of design principles for Erlang programs. A regression was introduced into the ssl application of OTP starting at OTP-25.3.2.8, OTP-26.2, and OTP-27.0, resulting in a server or client verifying the peer when incorrect extended key usage is presented (i.e., a server will verify a client if they have server auth ext key usage and vice versa).

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use     components mainly written in Erlang, and a set of design principles for Erlang programs. A regression was     introduced into the ssl application of OTP starting at OTP-25.3.2.8, OTP-26.2, and OTP-27.0, resulting in     a server or client verifying the peer when incorrect extended key usage is presented (i.e., a server will     verify a client if they have server auth ext key usage and vice versa). (CVE-2024-53846)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of Erlang/OTP installed on the remote host is 25.3.2.8 prior to 25.3.2.16, 26.2 prior to 26.2.5.6, or 27.0 prior to 27.1.3. It is, therefore, affected by an improper certificate validation vulnerability:

  - OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components     mainly written in Erlang, and a set of design principles for Erlang programs. A regression was introduced into the     ssl application of OTP starting at OTP-25.3.2.8, OTP-26.2, and OTP-27.0, resulting in a server or client verifying     the peer when incorrect extended key usage is presented (i.e., a server will verify a client if they have server     auth ext key usage and vice versa). (CVE-2024-53846)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update of the erlang package has been released.

ID	Name	Product	Family	Severity
265884	Linux Distros Unpatched Vulnerability : CVE-2024-53846	Nessus	Misc.	medium
237193	Erlang/OTP 25.3.2.8 < 25.3.2.16 / 26.2 < 26.2.5.6 / 27.0 < 27.1.3 Improper Certificate Validation (CVE-2024-53846)	Nessus	Misc.	medium
234711	Photon OS 5.0: Erlang PHSA-2025-5.0-0505	Nessus	PhotonOS Local Security Checks	high
234549	Photon OS 4.0: Erlang PHSA-2025-4.0-0782	Nessus	PhotonOS Local Security Checks	high

Detections

Analytics

CVE-2024-53846

medium

Tenable Plugins

medium

medium

high

high