CVE-2017-10974

Name of the Vulnerable Software and Affected Versions Yaws version 1.91

Description The issue allows unauthenticated remote file disclosure via HTTP directory traversal. This is achieved by using the //.. sequence to defeat traversal protection mechanisms. The vulnerability is specifically related to the use of an initial /%5C sequence.

Recommendations For Yaws version 1.91, consider restricting access to the HTTP endpoint on port 8080 as a temporary workaround until a patch is available. Avoid using the /%5C../ sequence in HTTP requests to minimize the risk of exploitation.