VulnerableCode Package Details - pkg:deb/debian/erlang@1:27.3.4.9%2Bdfsg-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-gcn7-ak4r-eba3 Aliases: CVE-2026-28808	Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect. This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.	1:27.3.4.10+dfsg-1 Affected by 0 other vulnerabilities.
VCID-j7t3-nrjj-pfgp Aliases: CVE-2026-28810		1:27.3.4.10+dfsg-1 Affected by 0 other vulnerabilities.
VCID-zegc-rj1x-ryau Aliases: CVE-2026-32144	Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP designated-responder authorization bypass via missing signature verification. The OCSP response validation in public_key:pkix_ocsp_validate/5 does not verify that a CA-designated responder certificate was cryptographically signed by the issuing CA. Instead, it only checks that the responder certificate's issuer name matches the CA's subject name and that the certificate has the OCSPSigning extended key usage. An attacker who can intercept or control OCSP responses can create a self-signed certificate with a matching issuer name and the OCSPSigning EKU, and use it to forge OCSP responses that mark revoked certificates as valid. This affects SSL/TLS clients using OCSP stapling, which may accept connections to servers with revoked certificates, potentially transmitting sensitive data to compromised servers. Applications using the public_key:pkix_ocsp_validate/5 API directly are also affected, with impact depending on usage context. This vulnerability is associated with program files lib/public_key/src/pubkey_ocsp.erl and program routines pubkey_ocsp:is_authorized_responder/3. This issue affects OTP from OTP 27.0 until OTP 28.4.2 and 27.3.4.10 corresponding to public_key from 1.16 until 1.20.3 and 1.17.1.2, and ssl from 11.2 until 11.5.4 and 11.2.12.7.	1:27.3.4.10+dfsg-1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-gcn7-ak4r-eba3
Aliases:
CVE-2026-28808

Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect. This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.

1:27.3.4.10+dfsg-1
Affected by 0 other vulnerabilities.

VCID-j7t3-nrjj-pfgp
Aliases:
CVE-2026-28810

1:27.3.4.10+dfsg-1
Affected by 0 other vulnerabilities.

VCID-zegc-rj1x-ryau
Aliases:
CVE-2026-32144

Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP designated-responder authorization bypass via missing signature verification. The OCSP response validation in public_key:pkix_ocsp_validate/5 does not verify that a CA-designated responder certificate was cryptographically signed by the issuing CA. Instead, it only checks that the responder certificate's issuer name matches the CA's subject name and that the certificate has the OCSPSigning extended key usage. An attacker who can intercept or control OCSP responses can create a self-signed certificate with a matching issuer name and the OCSPSigning EKU, and use it to forge OCSP responses that mark revoked certificates as valid. This affects SSL/TLS clients using OCSP stapling, which may accept connections to servers with revoked certificates, potentially transmitting sensitive data to compromised servers. Applications using the public_key:pkix_ocsp_validate/5 API directly are also affected, with impact depending on usage context. This vulnerability is associated with program files lib/public_key/src/pubkey_ocsp.erl and program routines pubkey_ocsp:is_authorized_responder/3. This issue affects OTP from OTP 27.0 until OTP 28.4.2 and 27.3.4.10 corresponding to public_key from 1.16 until 1.20.3 and 1.17.1.2, and ssl from 11.2 until 11.5.4 and 11.2.12.7.

1:27.3.4.10+dfsg-1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-13T07:54:04.432711+00:00	Debian Importer	Fixing	VCID-wwcj-hwqc-f3g7	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-12T17:48:06.890001+00:00	Debian Importer	Affected by	VCID-j7t3-nrjj-pfgp	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:24:24.291156+00:00	Debian Importer	Affected by	VCID-gcn7-ak4r-eba3	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:21:19.322021+00:00	Debian Importer	Fixing	VCID-w9yj-xg82-kyac	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:14:18.795238+00:00	Debian Importer	Fixing	VCID-s9qn-9qdm-j7ej	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-10T08:59:20.747690+00:00	Debian Importer	Affected by	VCID-zegc-rj1x-ryau	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-10T07:23:02.480188+00:00	Debian Importer	Affected by	VCID-j7t3-nrjj-pfgp	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-10T07:19:56.923136+00:00	Debian Importer	Affected by	VCID-gcn7-ak4r-eba3	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-02T17:13:55.167179+00:00	Debian Importer	Fixing	VCID-h1k4-x8vr-5bch	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-02T17:12:05.081707+00:00	Debian Importer	Fixing	VCID-wwcj-hwqc-f3g7	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-02T17:11:58.962861+00:00	Debian Importer	Fixing	VCID-s9qn-9qdm-j7ej	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-02T17:05:10.446171+00:00	Debian Importer	Fixing	VCID-w9yj-xg82-kyac	https://security-tracker.debian.org/tracker/data/json	38.1.0