Bug 2487603 (CVE-2026-48855)
| Summary: | CVE-2026-48855 erlang: Erlang OTP ssh: Information disclosure via symlink resolution in SFTP | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | eglynn, jjoyce, jpretori, jschluet, lhh, mburns, mgarciac |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Erlang OTP ssh, specifically within the `ssh_sftpd` module. An authenticated SFTP client can exploit this vulnerability by creating a symbolic link (symlink) inside a restricted directory (chroot) that points to the root directory. When the client reads this symlink, the `ssh_sftpd` module incorrectly reveals the absolute filesystem path of the SFTP root directory and any symlink targets, rather than the expected restricted path. This exposure of sensitive information allows for file discovery, but does not grant access to file contents, credentials, or paths outside the root directory.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2488320, 2488319 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-06-10 16:01:58 UTC
|