Bug 1885311 (CVE-2020-25623)

Summary: CVE-2020-25623 Erlang/OTP: allows attackers to read arbitrary files via a crafted HTTP request
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: apevec, cmeyers, dbecker, gblomqui, gmainwar, jeckersb, jjoyce, jschluet, lemenkov, lhh, lpeer, mabashia, mburns, notting, plemenko, rhbugs, rjones, rpetrell, sclewis, slinaber, smcdonal, s
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: erlang, erlang 23.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-06 02:21:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1884726    

Description Guilherme de Almeida Suckevicz 2020-10-05 15:07:11 UTC
Erlang/OTP 22.3.x before and 23.x before 23.1 allows Directory Traversal. An attacker can send a crafted HTTP request to read arbitrary files, if httpd in the inets application is used.


Comment 1 Anten Skrabec 2020-10-05 21:13:47 UTC
Marking Red Hat OpenStack Platform notaffected as all versions we ship (,, is below the version which this vulnerability is introduced (22.3.1 & 23.0).

Comment 2 Anten Skrabec 2020-10-05 21:13:50 UTC
External References:


Comment 3 Bill Nottingham 2020-10-05 21:47:35 UTC
Ansible Tower 3.6 and earlier use Erlang 20.3.8.x and are therefore not affected by this bug. (Ansible Tower 3.7 and later do not use Erlang at all.)

Comment 4 Product Security DevOps Team 2020-10-06 02:21:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):