6 matches found
SUSE CVE-2026-48855
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh sshsftpd module allows File Discovery. The SSHFXPREADLINK handler in sshsftpd sends the raw result of file:readlink/2 to the client without calling chrootfilename/2 to strip the backend root prefix. An...
FreeBSD : Erlang/OTP -- SFTP READLINK discloses server filesystem paths (d87e41a4-64d4-11f1-ab11-4c526214c986)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the d87e41a4-64d4-11f1-ab11-4c526214c986 advisory. https://github.com/erlang/otp/security/advisories/GHSA-pv7g-pjrq-x2fh reports: The SSH SFTP daemon's...
CVE-2026-48855
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh sshsftpd module allows File Discovery. The SSHFXPREADLINK handler in sshsftpd sends the raw result of file:readlink/2 to the client without calling chrootfilename/2 to strip the backend root prefix. An...
CVE-2026-48855
Summary: CVE-2026-48855 affects Erlang OTP ssh_sftpd. An authenticated SFTP client can create a symlink inside a chroot that points to the filesystem root; when reading the link via SSH_FXP_READLINK, ssh_sftpd exposes the absolute backend root path (and any symlink targets) instead of the chroote...
CVE-2026-48855 SFTP READLINK Leaks Absolute Backend Filesystem Path When Root Is Configured
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh sshsftpd module allows File Discovery. The SSHFXPREADLINK handler in sshsftpd sends the raw result of file:readlink/2 to the client without calling chrootfilename/2 to strip the backend root prefix. An...
Erlang/OTP -- SFTP READLINK discloses server filesystem paths
https://github.com/erlang/otp/security/advisories/GHSA-pv7g-pjrq-x2fh reports: The SSH SFTP daemon's handling of SSHFXPREADLINK returned symbolic link targets containing the server's absolute filesystem path, disclosing the backend root prefix to clients. The handler now strips the backend root...