CVE-2020-12872: Weak Encryption
First published: Fri May 15 2020(Updated: )
yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads obsolete TLS ciphers, as demonstrated by ones that allow Sweet32 attacks, if running on an Erlang/OTP virtual machine with a version less than 21.0.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Yaws | >=2.0.2<=2.0.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/erlyaws/yaws/blob/c0fd79f17d52628fcec527da7fa3e788c283c445/src/yaws_config.erl#L2068-L2075
- https://github.com/erlyaws/yaws/issues/402
- https://github.com/erlyaws/yaws/releases
- https://medium.com/@charlielabs101/cve-2020-12872-df315411aa70
- https://sweet32.info/
- https://medium.com/%40charlielabs101/cve-2020-12872-df315411aa70
Frequently Asked Questions
What is the severity of CVE-2020-12872?
CVE-2020-12872 has a medium severity level due to the potential exposure to Sweet32 attacks.
How do I fix CVE-2020-12872?
To fix CVE-2020-12872, update Yaws to version 2.0.8 or later or ensure your Erlang/OTP version is 21.0 or higher.
What kind of attacks is CVE-2020-12872 vulnerable to?
CVE-2020-12872 is vulnerable to Sweet32 attacks due to the use of obsolete TLS ciphers.
Which versions of Yaws are affected by CVE-2020-12872?
CVE-2020-12872 affects Yaws versions 2.0.2 to 2.0.7.
What component of Yaws does CVE-2020-12872 impact?
CVE-2020-12872 impacts the yaws_config.erl component in Yaws software.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/weakness
- agent/references
- agent/author
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/yaws
- canonical/yaws
- version/yaws/2.0.2
- version/yaws/2.0.6