Your submission was sent successfully! Close

CVE-2020-25623

Published: 02 October 2020

Erlang/OTP 22.3.x before 22.3.4.6 and 23.x before 23.1 allows Directory Traversal. An attacker can send a crafted HTTP request to read arbitrary files, if httpd in the inets application is used.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
erlang
Launchpad, Ubuntu, Debian
Upstream
Released (1:23.1+dfsg-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(1:22.2.7+dfsg-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1:20.2.2+dfsg-1ubuntu2)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(1:18.3-dfsg-1ubuntu3.1)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable

Patches:
Upstream: https://github.com/erlang/otp/commit/5296ae6c4761f26600c05e447cb0bda78a93b602 (22)
Upstream: https://github.com/erlang/otp/commit/5296ae6c4761f26600c05e447cb0bda78a93b602 (23)

Notes

AuthorNote
mdeslaur
per upstream, introduced in OTP 22.3.1 and corrected in OTP
22.3.4.6. It was also introduced in OTP 23.0 and corrected in
OTP 23.1

References