Erlang/OTP 22.3.x before 22.3.4.6 and 23.x before 23.1 allows Directory Traversal. An attacker can send a crafted HTTP request to read arbitrary files, if httpd in the inets application is used.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25623
Reference (s):
- https://github.com/erlang/otp/releases/tag/OTP-23.1
- https://www.erlang.org/downloads
- https://www.erlang.org/news