CVE-2020-25623 — Path Traversal in OTP

CWE-22 — Path Traversal7 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.9%

top 23.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Erlang OTP

Timeline

PublishedOct 2

Latest updateMay 24

Description

Erlang/OTP 22.3.x before 22.3.4.6 and 23.x before 23.1 allows Directory Traversal. An attacker can send a crafted HTTP request to read arbitrary files, if httpd in the inets application is used.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDerlang/erlang_otp22.3.0 — 22.3.4.6+1

▶Debianerlang/erlang_otp< 1:23.1+dfsg-1+3

🔴Vulnerability Details

GHSA

GHSA-xm5m-7wr8-cvwh: Erlang/OTP 22↗2022-05-24

▶

CVEList

CVE-2020-25623: Erlang/OTP 22↗2020-10-02

▶

OSV

CVE-2020-25623: Erlang/OTP 22↗2020-10-02

▶

📋Vendor Advisories

Red Hat

Erlang/OTP: allows attackers to read arbitrary files via a crafted HTTP request↗2020-09-23

▶

Debian

CVE-2020-25623: erlang - Erlang/OTP 22.3.x before 22.3.4.6 and 23.x before 23.1 allows Directory Traversa...↗2020

▶

💬Community

Bugzilla

CVE-2020-25623 Erlang/OTP: allows attackers to read arbitrary files via a crafted HTTP request↗2020-10-05

▶