Vulnerability Description
yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads obsolete TLS ciphers, as demonstrated by ones that allow Sweet32 attacks, if running on an Erlang/OTP virtual machine with a version less than 21.0.
CVSS Score
5.5
MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Yaws | Yaws | >= 2.0.2, <= 2.0.6 |
Related Weaknesses (CWE)
References
- https://github.com/erlyaws/yaws/blob/c0fd79f17d52628fcec527da7fa3e788c283c445/srExploitThird Party Advisory
- https://github.com/erlyaws/yaws/issues/402Issue TrackingThird Party Advisory
- https://github.com/erlyaws/yaws/releasesRelease NotesThird Party Advisory
- https://medium.com/%40charlielabs101/cve-2020-12872-df315411aa70
- https://sweet32.info/Third Party Advisory
- https://github.com/erlyaws/yaws/blob/c0fd79f17d52628fcec527da7fa3e788c283c445/srExploitThird Party Advisory
- https://github.com/erlyaws/yaws/issues/402Issue TrackingThird Party Advisory
- https://github.com/erlyaws/yaws/releasesRelease NotesThird Party Advisory
- https://medium.com/%40charlielabs101/cve-2020-12872-df315411aa70
- https://sweet32.info/Third Party Advisory
FAQ
What is CVE-2020-12872?
CVE-2020-12872 is a vulnerability with a CVSS score of 5.5 (MEDIUM). yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads obsolete TLS ciphers, as demonstrated by ones that allow Sweet32 attacks, if running on an Erlang/OTP virtual machine with a version less than ...
How severe is CVE-2020-12872?
CVE-2020-12872 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-12872?
Check the references section above for vendor advisories and patch information. Affected products include: Yaws Yaws.