{"id":"CVE-2020-25623","details":"Erlang/OTP 22.3.x before 22.3.4.6 and 23.x before 23.1 allows Directory Traversal. An attacker can send a crafted HTTP request to read arbitrary files, if httpd in the inets application is used.","modified":"2026-04-10T04:25:11.476034Z","published":"2020-10-02T12:15:12.160Z","related":["openSUSE-SU-2024:10740-1","openSUSE-SU-2025:15740-1"],"references":[{"type":"ADVISORY","url":"https://github.com/erlang/otp/releases/tag/OTP-23.1"},{"type":"ADVISORY","url":"https://www.erlang.org/downloads"},{"type":"ADVISORY","url":"https://www.erlang.org/news"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/erlang/otp","events":[{"introduced":"0"},{"fixed":"7339e8f745c9ae4cc71e8dc09be37e3116249392"},{"introduced":"0"},{"fixed":"1b5dce9313e29c320593b3bba5ca020a23019706"}],"database_specific":{"versions":[{"introduced":"22.3.0"},{"fixed":"22.3.4.6"},{"introduced":"23.0.0"},{"fixed":"23.1"}]}}],"versions":["OTP-17.0","OTP-18.0","OTP-18.0-rc1","OTP-19.0","OTP-19.0-rc1","OTP-19.0-rc2","OTP-20.0","OTP-20.0-rc1","OTP-20.0-rc2","OTP-21.0","OTP-21.0-rc1","OTP-21.0-rc2","OTP-22.0","OTP-22.0-rc1","OTP-22.0-rc2","OTP-22.0-rc3","OTP-22.1","OTP-22.2","OTP-22.3","OTP-22.3.1","OTP-22.3.2","OTP-22.3.3","OTP-22.3.4","OTP-22.3.4.1","OTP-22.3.4.2","OTP-22.3.4.3","OTP-22.3.4.4","OTP-22.3.4.5","OTP-23.0","OTP-23.0-rc1","OTP-23.0-rc2","OTP-23.0-rc3","OTP_17.0-rc1","OTP_17.0-rc2","OTP_R13B03","OTP_R13B04","OTP_R14A","OTP_R14B","OTP_R14B01","OTP_R14B02","OTP_R14B03","OTP_R15A","OTP_R15B","OTP_R16A_RELEASE_CANDIDATE","OTP_R16B"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-25623.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}