CVE-2026-23942

Erlang OTP (ssh_sftpd moduli) dagi cheklangan katalog ('Path Traversal') zaifligi bilan yo'l nomini noto'g'ri cheklash yo'lni kesib o'tishga imkon beradi.

 Ushbu zaiflik lib/ssh/src/ssh_sftpd.erl dastur fayllari va ssh_sftpd:is_within_root/2 dastur rutinlari bilan bog'liq.

 SFTP serveri konfiguratsiya qilingan ildiz katalogida yo'l bor-yo'qligini tekshirishda to'g'ri yo'l komponentini tekshirish o'rniga lists:prefix/2 orqali satr prefiksini moslashtirishdan foydalanadi. Bu autentifikatsiya qilingan foydalanuvchilarga opa-singillarga kirish imkonini beradi.

Manbalar

• https://github.com/erlang/otp/commit/27688a824f753d4c16371dc70e88753fb410590b
• https://github.com/erlang/otp/commit/5ed603a1211b83b8be2d1fc06d3f3bf30c3c9759
• https://github.com/erlang/otp/commit/9e0ac85d3485e7898e0da88a14be0ee2310a3b28
• https://github.com/erlang/otp/security/advisories/GHSA-4749-w85x-hw9h
• https://www.erlang.org/doc/system/versions.html#order-of-versions