yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads obsolete TLS ciphers, as demonstrated by ones that allow Sweet32 attacks, if running on an Erlang/OTP virtual machine with a version less than 21.0.
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Yaws | Yaws | 2.0.2 (including) | 2.0.6 (including) |
| Yaws | Ubuntu | bionic | * |
| Yaws | Ubuntu | eoan | * |
| Yaws | Ubuntu | focal | * |
| Yaws | Ubuntu | groovy | * |
| Yaws | Ubuntu | hirsute | * |
| Yaws | Ubuntu | impish | * |
| Yaws | Ubuntu | kinetic | * |
| Yaws | Ubuntu | lunar | * |
| Yaws | Ubuntu | mantic | * |
| Yaws | Ubuntu | oracular | * |
| Yaws | Ubuntu | trusty | * |
| Yaws | Ubuntu | xenial | * |