Candidate: CVE-2020-25623
PublicDate: 2020-10-02 12:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25623
 https://github.com/erlang/otp/releases/tag/OTP-23.1
 https://www.erlang.org/downloads
 https://www.erlang.org/news
Description:
 Erlang/OTP 22.3.x before 22.3.4.6 and 23.x before 23.1 allows Directory
 Traversal. An attacker can send a crafted HTTP request to read arbitrary
 files, if httpd in the inets application is used.
Ubuntu-Description:
Notes:
 mdeslaur> per upstream, introduced in OTP 22.3.1 and corrected in OTP
 mdeslaur> 22.3.4.6. It was also introduced in OTP 23.0 and corrected in
 mdeslaur> OTP 23.1
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH]


Patches_erlang:
 upstream: https://github.com/erlang/otp/commit/5296ae6c4761f26600c05e447cb0bda78a93b602 (22)
 upstream: https://github.com/erlang/otp/commit/5296ae6c4761f26600c05e447cb0bda78a93b602 (23)
upstream_erlang: released (1:23.1+dfsg-1)
precise/esm_erlang: DNE
trusty_erlang: ignored (out of standard support)
trusty/esm_erlang: not-affected
xenial_erlang: not-affected (1:18.3-dfsg-1ubuntu3.1)
esm-infra/xenial_erlang: not-affected (1:18.3-dfsg-1ubuntu3.1)
bionic_erlang: not-affected (1:20.2.2+dfsg-1ubuntu2)
focal_erlang: not-affected (1:22.2.7+dfsg-1)
devel_erlang: released (1:23.0.3+dfsg-1ubuntu1)