VulnerableCode Package Details - pkg:deb/debian/erlang@0?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-m8hy-2shf-fqf2	erlang: ssl fails to validate incorrect extened key usage	CVE-2024-53846
VCID-tba3-4nap-wqdr	A local privilege escalation vulnerability was discovered in Erlang/OTP prior to version 23.2.3. By adding files to an existing installation's directory, a local attacker could hijack accounts of other users running Erlang programs or possibly coerce a service running with "erlsrv.exe" to execute arbitrary code as Local System. This can occur only under specific conditions on Windows with unsafe filesystem permissions.	CVE-2021-29221
VCID-zegc-rj1x-ryau	Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP designated-responder authorization bypass via missing signature verification. The OCSP response validation in public_key:pkix_ocsp_validate/5 does not verify that a CA-designated responder certificate was cryptographically signed by the issuing CA. Instead, it only checks that the responder certificate's issuer name matches the CA's subject name and that the certificate has the OCSPSigning extended key usage. An attacker who can intercept or control OCSP responses can create a self-signed certificate with a matching issuer name and the OCSPSigning EKU, and use it to forge OCSP responses that mark revoked certificates as valid. This affects SSL/TLS clients using OCSP stapling, which may accept connections to servers with revoked certificates, potentially transmitting sensitive data to compromised servers. Applications using the public_key:pkix_ocsp_validate/5 API directly are also affected, with impact depending on usage context. This vulnerability is associated with program files lib/public_key/src/pubkey_ocsp.erl and program routines pubkey_ocsp:is_authorized_responder/3. This issue affects OTP from OTP 27.0 until OTP 28.4.2 and 27.3.4.10 corresponding to public_key from 1.16 until 1.20.3 and 1.17.1.2, and ssl from 11.2 until 11.5.4 and 11.2.12.7.	CVE-2026-32144

Vulnerability

Summary

Aliases

VCID-m8hy-2shf-fqf2

erlang: ssl fails to validate incorrect extened key usage

CVE-2024-53846

VCID-tba3-4nap-wqdr

A local privilege escalation vulnerability was discovered in Erlang/OTP prior to version 23.2.3. By adding files to an existing installation's directory, a local attacker could hijack accounts of other users running Erlang programs or possibly coerce a service running with "erlsrv.exe" to execute arbitrary code as Local System. This can occur only under specific conditions on Windows with unsafe filesystem permissions.

CVE-2021-29221

VCID-zegc-rj1x-ryau

Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP designated-responder authorization bypass via missing signature verification. The OCSP response validation in public_key:pkix_ocsp_validate/5 does not verify that a CA-designated responder certificate was cryptographically signed by the issuing CA. Instead, it only checks that the responder certificate's issuer name matches the CA's subject name and that the certificate has the OCSPSigning extended key usage. An attacker who can intercept or control OCSP responses can create a self-signed certificate with a matching issuer name and the OCSPSigning EKU, and use it to forge OCSP responses that mark revoked certificates as valid. This affects SSL/TLS clients using OCSP stapling, which may accept connections to servers with revoked certificates, potentially transmitting sensitive data to compromised servers. Applications using the public_key:pkix_ocsp_validate/5 API directly are also affected, with impact depending on usage context. This vulnerability is associated with program files lib/public_key/src/pubkey_ocsp.erl and program routines pubkey_ocsp:is_authorized_responder/3. This issue affects OTP from OTP 27.0 until OTP 28.4.2 and 27.3.4.10 corresponding to public_key from 1.16 until 1.20.3 and 1.17.1.2, and ssl from 11.2 until 11.5.4 and 11.2.12.7.

CVE-2026-32144

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T10:06:43.004858+00:00	Debian Importer	Fixing	VCID-tba3-4nap-wqdr	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:34:49.205576+00:00	Debian Importer	Fixing	VCID-m8hy-2shf-fqf2	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T12:47:33.129007+00:00	Debian Importer	Fixing	VCID-zegc-rj1x-ryau	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:35:15.708777+00:00	Debian Importer	Fixing	VCID-tba3-4nap-wqdr	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:22:55.361913+00:00	Debian Importer	Fixing	VCID-m8hy-2shf-fqf2	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-09T17:35:03.379937+00:00	Debian Importer	Fixing	VCID-zegc-rj1x-ryau	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-02T17:17:48.854935+00:00	Debian Importer	Fixing	VCID-m8hy-2shf-fqf2	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-02T17:12:02.475092+00:00	Debian Importer	Fixing	VCID-tba3-4nap-wqdr	https://security-tracker.debian.org/tracker/data/json	38.1.0