Impact
Httpd allows Directory Traversal. An attacker can send a crafted HTTP request to read arbitrary files, if httpd in the inets application is used.
Affected/Unaffected Versions
A version larger than or equal to one of the listed patched versions is unaffected; otherwise, a version that satisfies an expression listed under affected versions is affected, and if it does not, it is unaffected.
The documentation of the new OTP version scheme describes how versions should be compared. Note that versions used prior to OTP 17.0, when the new OTP version scheme was introduced, are never listed since it is not well defined how to compare those versions.
Credits
Thanks to Ivo Matijasevic for finding and responsibly disclosing this vulnerability to the Erlang/OTP project.
Thanks to Andy Song for providing a remediation for this vulnerability.
ao-song Remediation developer
Impact
Httpd allows Directory Traversal. An attacker can send a crafted HTTP request to read arbitrary files, if httpd in the inets application is used.
Affected/Unaffected Versions
A version larger than or equal to one of the listed patched versions is unaffected; otherwise, a version that satisfies an expression listed under affected versions is affected, and if it does not, it is unaffected.
The documentation of the new OTP version scheme describes how versions should be compared. Note that versions used prior to OTP 17.0, when the new OTP version scheme was introduced, are never listed since it is not well defined how to compare those versions.
Credits
Thanks to Ivo Matijasevic for finding and responsibly disclosing this vulnerability to the Erlang/OTP project.
Thanks to Andy Song for providing a remediation for this vulnerability.