PT-2020-6854 · Ericsson+1 · Erlang/Otp+1

Published

2020-09-23

Updated

2025-11-18

CVE-2020-25623

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Erlang/OTP versions 22.3.x through 22.3.4.5 Erlang/OTP versions 23.x through 23.0

Description The issue allows an attacker to send a crafted HTTP request to read arbitrary files, if httpd in the inets application is used. This is related to directory traversal due to insufficient path name restrictions. An attacker can exploit this to gain access to confidential data.

Recommendations For Erlang/OTP versions 22.3.x through 22.3.4.5, update to version 22.3.4.6 or later. For Erlang/OTP versions 23.x through 23.0, update to version 23.1 or later. As a temporary workaround, consider restricting access to the httpd in the inets application until a patch is available.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

BDU:2023-01663

CVE-2020-25623

OPENSUSE-SU-2024:10740-1

OPENSUSE-SU-2025:15740-1

Affected Products

Astra Linux

Erlang/Otp

PT-2020-6854 · Ericsson+1 · Erlang/Otp+1

CVE-2020-25623

Weakness Enumeration

Related Identifiers

Affected Products

References · 20