Bug 1885311 (CVE-2020-25623) - CVE-2020-25623 Erlang/OTP: allows attackers to read arbitrary files via a crafted HTTP request
Summary: CVE-2020-25623 Erlang/OTP: allows attackers to read arbitrary files via a cra...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2020-25623
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1884726
TreeView+ depends on / blocked
 
Reported: 2020-10-05 15:07 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-02-16 19:09 UTC (History)
22 users (show)

Fixed In Version: erlang 22.3.4.6, erlang 23.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-06 02:21:20 UTC
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-10-05 15:07:11 UTC 
Erlang/OTP 22.3.x before 22.3.4.6 and 23.x before 23.1 allows Directory Traversal. An attacker can send a crafted HTTP request to read arbitrary files, if httpd in the inets application is used.

Reference:
https://github.com/erlang/otp/releases/tag/OTP-23.1
Comment 1 Anten Skrabec 2020-10-05 21:13:47 UTC 
Marking Red Hat OpenStack Platform notaffected as all versions we ship (18.3.4.11, 20.3.8.24, 21.3.8.13) is below the version which this vulnerability is introduced (22.3.1 & 23.0).
Comment 2 Anten Skrabec 2020-10-05 21:13:50 UTC 
External References:

https://erlang.org/download/OTP-23.1.README
Comment 3 Bill Nottingham 2020-10-05 21:47:35 UTC 
Ansible Tower 3.6 and earlier use Erlang 20.3.8.x and are therefore not affected by this bug. (Ansible Tower 3.7 and later do not use Erlang at all.)
Comment 4 Product Security DevOps Team 2020-10-06 02:21:20 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25623
Note You need to log in before you can comment on or make changes to this bug.