Erlang Otp
CVE-2015-2774
MEDIUM
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Erlang/OTP before 18.0-rc1 does not properly check CBC padding bytes when terminating connections, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE).
AnalysisAI
Erlang/OTP before 18.0-rc1 does not properly check CBC padding bytes when terminating connections, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. Erlang/OTP before 18.0-rc1 does not properly check CBC padding bytes when terminating connections, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE). Affected products include: Erlang Erlang\/Otp, Oracle Solaris, Opensuse. Version information: before 18.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.
More in Erlang Otp
View allErlang/OTP SSH server allows unauthenticated remote code execution by exploiting a flaw in SSH protocol message handling
The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1.5 padding. Rat
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
Multiple CRLF injection vulnerabilities in the FTP module in Erlang/OTP R15B03 allow context-dependent attackers to inje
A local privilege escalation vulnerability was discovered in Erlang/OTP prior to version 23.2.3. Rated high severity (CV
An issue was discovered in Erlang/OTP 18.x. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitab
In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in
TLS server impersonation in Erlang/OTP's public_key library lets a name-constrained subordinate CA forge a trusted ident
Erlang/OTP 22.3.x before 22.3.4.6 and 23.x before 23.1 allows Directory Traversal. Rated high severity (CVSS 7.5), this
Certificate chain forgery in Erlang/OTP's public_key application (pubkey_cert module) lets a non-CA end-entity certifica
OCSP responder certificate validity bypass in Erlang OTP's public_key library allows forged OCSP responses-signed with t
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today