rpm package
opensuse/erlang&distro=openSUSE Leap 16.0
pkg:rpm/opensuse/erlang&distro=openSUSE%20Leap%2016.0
Vulnerabilities (15)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42790 | Hig | 8.1 | < 27.1.3-160000.5.1 | 27.1.3-160000.5.1 | May 27, 2026 | Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_cert and public_key modules) allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification. Two flaws combine to allow a subordinate CA whose DNS nameConstraints are | |
| CVE-2026-42791 | Low | 3.7 | < 27.1.3-160000.5.1 | 27.1.3-160000.5.1 | May 27, 2026 | Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows forged OCSP responses signed with an expired responder certificate to be accepted as valid. OCSP response verification in pubkey_ocsp:verify_response/5 and pubkey_ocsp:is_authorize | |
| CVE-2026-42789 | Med | 4.8 | < 27.1.3-160000.5.1 | 27.1.3-160000.5.1 | May 27, 2026 | Improper Following of a Certificate's Chain of Trust vulnerability in Erlang OTP public_key (pubkey_cert module) allows a non-CA certificate to be accepted as an intermediate issuer, enabling certificate chain forgery. In lib/public_key/src/pubkey_cert.erl, pubkey_cert:validate_ | |
| CVE-2026-32147 | Med | 4.3 | < 27.1.3-160000.5.1 | 27.1.3-160000.5.1 | Apr 21, 2026 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to modify file attributes outside the configured chroot directory. The SFTP daemon (ssh_sftpd) stores the raw, user | |
| CVE-2026-32144 | Hig | 7.4 | < 27.1.3-160000.4.1 | 27.1.3-160000.4.1 | Apr 7, 2026 | Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP designated-responder authorization bypass via missing signature verification. The OCSP response validation in public_key:pkix_ocsp_validate/5 does not verify that a CA-designa | |
| CVE-2026-28808 | Cri | 9.8 | < 27.1.3-160000.4.1 | 27.1.3-160000.4.1 | Apr 7, 2026 | Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based | |
| CVE-2026-28810 | Low | 3.7 | < 27.1.3-160000.4.1 | 27.1.3-160000.4.1 | Apr 7, 2026 | Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning. The built-in DNS resolver (inet_res) uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source | |
| CVE-2026-23943 | Med | 5.3 | < 27.1.3-160000.4.1 | 27.1.3-160000.4.1 | Mar 13, 2026 | Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion. The SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads | |
| CVE-2026-23942 | Med | 5.4 | < 27.1.3-160000.4.1 | 27.1.3-160000.4.1 | Mar 13, 2026 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:is_within_root/2. Th | |
| CVE-2026-23941 | Cri | 9.4 | < 27.1.3-160000.4.1 | 27.1.3-160000.4.1 | Mar 13, 2026 | Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling. This vulnerability is associated with program files lib/inets/src/http_server/httpd_request.erl and program routines httpd_requ | |
| CVE-2026-21620 | Low | — | < 27.1.3-160000.4.1 | 27.1.3-160000.4.1 | Feb 20, 2026 | Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) allows Relative Path Traversal. This vulnerability is associated with program | |
| CVE-2025-48040 | Med | — | < 27.1.3-160000.3.1 | 27.1.3-160000.3.1 | Sep 11, 2025 | Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2 | |
| CVE-2025-48039 | Med | — | < 27.1.3-160000.3.1 | 27.1.3-160000.3.1 | Sep 11, 2025 | Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 until | |
| CVE-2025-48038 | Med | — | < 27.1.3-160000.3.1 | 27.1.3-160000.3.1 | Sep 11, 2025 | Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 until | |
| CVE-2025-4748 | Med | — | < 27.1.3-160000.5.1 | 27.1.3-160000.5.1 | Jun 16, 2025 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip |
- affected < 27.1.3-160000.5.1fixed 27.1.3-160000.5.1
Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_cert and public_key modules) allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification. Two flaws combine to allow a subordinate CA whose DNS nameConstraints are
- affected < 27.1.3-160000.5.1fixed 27.1.3-160000.5.1
Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows forged OCSP responses signed with an expired responder certificate to be accepted as valid. OCSP response verification in pubkey_ocsp:verify_response/5 and pubkey_ocsp:is_authorize
- affected < 27.1.3-160000.5.1fixed 27.1.3-160000.5.1
Improper Following of a Certificate's Chain of Trust vulnerability in Erlang OTP public_key (pubkey_cert module) allows a non-CA certificate to be accepted as an intermediate issuer, enabling certificate chain forgery. In lib/public_key/src/pubkey_cert.erl, pubkey_cert:validate_
- affected < 27.1.3-160000.5.1fixed 27.1.3-160000.5.1
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to modify file attributes outside the configured chroot directory. The SFTP daemon (ssh_sftpd) stores the raw, user
- affected < 27.1.3-160000.4.1fixed 27.1.3-160000.4.1
Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP designated-responder authorization bypass via missing signature verification. The OCSP response validation in public_key:pkix_ocsp_validate/5 does not verify that a CA-designa
- affected < 27.1.3-160000.4.1fixed 27.1.3-160000.4.1
Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based
- affected < 27.1.3-160000.4.1fixed 27.1.3-160000.4.1
Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning. The built-in DNS resolver (inet_res) uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source
- affected < 27.1.3-160000.4.1fixed 27.1.3-160000.4.1
Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion. The SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads
- affected < 27.1.3-160000.4.1fixed 27.1.3-160000.4.1
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:is_within_root/2. Th
- affected < 27.1.3-160000.4.1fixed 27.1.3-160000.4.1
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling. This vulnerability is associated with program files lib/inets/src/http_server/httpd_request.erl and program routines httpd_requ
- affected < 27.1.3-160000.4.1fixed 27.1.3-160000.4.1
Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) allows Relative Path Traversal. This vulnerability is associated with program
- affected < 27.1.3-160000.3.1fixed 27.1.3-160000.3.1
Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2
- affected < 27.1.3-160000.3.1fixed 27.1.3-160000.3.1
Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 until
- affected < 27.1.3-160000.3.1fixed 27.1.3-160000.3.1
Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 until
- affected < 27.1.3-160000.5.1fixed 27.1.3-160000.5.1
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip