Source: erlang Version: 1:27.3.4.12+dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for erlang. CVE-2026-48855[0]: | Exposure of Sensitive Information to an Unauthorized Actor | vulnerability in Erlang OTP ssh (ssh_sftpd module) allows File | Discovery. The SSH_FXP_READLINK handler in ssh_sftpd sends the raw | result of file:read_link/2 to the client without calling | chroot_filename/2 to strip the backend root prefix. An authenticated | SFTP client can create a symlink inside the chroot pointing to /; | ssh_sftpd resolves the target to the absolute backend root and | stores it on disk. Reading the symlink back via SSH_FXP_READLINK | returns that absolute path, for example /data/sftp, instead of the | chrooted value /. The information disclosed is the absolute | filesystem path of the SFTP root directory and of any symlink | targets within it. No file contents, credentials, or access to paths | outside the root directory are obtainable through this issue alone. | This vulnerability is associated with program files | lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 | before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from | 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8. CVE-2026-48856[1]: | Sensitive Data Exposure vulnerability in Erlang OTP inets | (httpc_response module) allows Retrieve Embedded Sensitive Data. | The httpc client forwards the Authorization and Proxy-Authorization | request headers to redirect targets without checking whether the | redirect crosses an origin boundary. httpc_response:redirect/2 | constructs the redirected request by updating only the host field of | the header record; all other fields (including authorization and | proxy_authorization) are copied verbatim. The redirect target host | is never compared against the original host. autoredirect defaults | to true, so this affects all httpc callers that do not explicitly | disable automatic redirects. An attacker who controls a server that | the victim contacts via httpc can issue a cross-origin 3xx redirect | to a server they also control. The Authorization header (including | Basic credentials derived from URL userinfo via | httpc_request:handle_user_info/2) is forwarded to the redirect | target, allowing credential theft. The same applies to the Proxy- | Authorization header. This vulnerability is associated with program | files lib/inets/src/http_client/httpc_response.erl. This issue | affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 | corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6. CVE-2026-48858[2]: | Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp | (ftp_internal module) allows FTP bounce attacks and SSRF via an | unvalidated PASV response IP address. The | ftp_internal:handle_ctrl_result/2 PASV handler (mode=passive, | ipfamily=inet, ftp_extension=false) extracts the IP address from the | server's 227 response and passes it directly to gen_tcp:connect/4 | without validating it against the control connection peer address. | The adjacent EPSV handlers correctly call peername(CSock) to derive | the IP from the control connection, but the PASV handler does not. A | malicious or compromised FTP server can redirect the client's data | connection to an arbitrary internal host and port. On read | operations (ftp:ls/1,2, ftp:nlist/1,2, ftp:recv/2,3), data from the | redirected target is returned to the caller. On write operations | (ftp:send/2,3, ftp:append/2,3), file content is sent to the | redirected target. This enables SSRF against internal hosts, cloud | metadata endpoints, and FTP bounce attacks against third-party | hosts. The vulnerable path is the default configuration | (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section | 3 explicitly recommends validating the PASV response IP against the | control connection peer. The ftp application is deprecated and | scheduled for removal in OTP-30. This vulnerability is associated | with program files lib/inets/src/ftp/ftp_internal.erl (inets 5.10.4 | through 6.5, OTP 17.4 through 20.3) and lib/ftp/src/ftp_internal.erl | (ftp 1.0 and later, OTP 21.0 and later). This issue affects OTP | from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to | inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 | and 1.2.3.1. CVE-2026-48860[3]: | Reliance on IP Address for Authentication vulnerability in | Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass | of the distribution-over-TLS LAN allowlist. The | inet_tls_dist:check_ip/1 function, which enforces a LAN allowlist | for Erlang distribution over TLS, calls inet:sockname/1 instead of | inet:peername/1 to obtain the peer's IP address. Because | inet:sockname/1 returns the local socket address, both the local IP | and the supposed peer IP resolve to the same value, causing the | subnet mask comparison to always succeed regardless of the actual | remote address. Any holder of a CA-signed TLS certificate can | therefore bypass the LAN restriction and gain full Erlang | distribution access to the node, including rpc:call/4 and | code:load_binary/3. This vulnerability is associated with program | file lib/ssl/src/inet_tls_dist.erl. This issue affects OTP from OTP | 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from | 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9. CVE-2026-49759[4]: | Stack-based Buffer Overflow vulnerability in Erlang OTP erts | (inet_drv) allows an unauthenticated remote attacker to crash the | BEAM VM by sending a crafted SCTP ERROR chunk. The | sctp_parse_error_chunk function in | erts/emulator/drivers/common/inet_drv.c parses SCTP ERROR chunks and | writes cause codes into a fixed-size stack-allocated ErlDrvTermData | spec[] array without checking bounds. A remote attacker who has | established an SCTP association to a listening port can send a | single crafted SCTP ERROR chunk containing enough cause codes to | overflow the stack buffer, crashing the VM. The attacker can only | write 16-bit values interleaved with a fixed tag, so the overflow | does not provide a controlled return address, limiting exploitation | to Denial of Service. A crafted SCTP ERROR chunk may also leak bits | and pieces of Erlang VM memory into the received error packet | observed by the Erlang process. Such data is already readable by the | user running the Erlang VM, so the disclosure scope is limited. | This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and | 29.0.2, corresponding to erts from 6.0 before 15.2.7.9, 16.4.0.2 and | 17.0.2. CVE-2026-49760[5]: | Stack-based Buffer Overflow vulnerability in Erlang OTP | (erl_interface) allows Stack-based Buffer Overflow. This | vulnerability is associated with program file | lib/erl_interface/src/misc/ei_printterm.c and program routine | ei_s_print_term. The C function ei_s_print_term uses an internal | 2000-character stack buffer to format terms. When called with an | encoded Erlang term containing a very large integer (encoded | representation exceeding 2000 characters), the buffer overflows. The | overflow bytes are restricted to the ASCII values of 0-9 and A-F, | which limits exploitation to Denial of Service. The companion | function ei_print_term, which prints directly to a FILE instead of a | memory buffer, does not contain this bug. This issue affects OTP | from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding | to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-48855 https://www.cve.org/CVERecord?id=CVE-2026-48855 [1] https://security-tracker.debian.org/tracker/CVE-2026-48856 https://www.cve.org/CVERecord?id=CVE-2026-48856 [2] https://security-tracker.debian.org/tracker/CVE-2026-48858 https://www.cve.org/CVERecord?id=CVE-2026-48858 [3] https://security-tracker.debian.org/tracker/CVE-2026-48860 https://www.cve.org/CVERecord?id=CVE-2026-48860 [4] https://security-tracker.debian.org/tracker/CVE-2026-49759 https://www.cve.org/CVERecord?id=CVE-2026-49759 [5] https://security-tracker.debian.org/tracker/CVE-2026-49760 https://www.cve.org/CVERecord?id=CVE-2026-49760 Regards, Salvatore
