Impact
The vulnerability is an observable response discrepancy in the SSH_FXP_REALPATH handler of the Erlang OTP ssh_sftpd module. This weakness corresponds to CWE-204, a path traversal flaw. An authenticated SFTP client can send a REALPATH request containing a crafted traversal path. Because the handler fails to canonicalize the path, the server resolves the un‑canonicalized request and walks up the directory tree above the configured SFTP root, issuing read_link() syscalls on arbitrary filesystem locations. The server then returns SSH_FXP_NAME when the target exists or SSH_FX_NO_SUCH_FILE when it does not; this creates a path‑existence oracle that allows an attacker to determine whether arbitrary files or directories outside the configured root exist on the host. The only information disclosed is the existence of paths—file contents, credentials, or write permissions are not exposed, but the information gathered can aid subsequent attacks.
Affected Systems
Affected systems are Erlang/OTP implementations from version 17.0 up to OTP 29.0.3, OTP 28.5.0.3, and OTP 27.3.4.14. These correspond to the ssh module starting at ssh-3.0.1 and extending through ssh-6.0.2, ssh-5.5.2.2, and ssh-5.2.11.9, respectively. Any deployment of Erlang/OTP that includes the ssh_sftpd component within these version ranges is vulnerable.
Risk and Exploitability
The CVSS score of 2.3 indicates a low overall severity. The EPSS score is not available, suggesting a low probability of exploitation in the wild. The issue is not listed in CISA’s KEV catalog. Exploitation requires an authenticated SFTP session, so an attacker must already possess valid credentials. Once authenticated, the attacker can repeatedly send crafted REALPATH requests to enumerate the host’s filesystem structure outside the SFTP root. The vulnerability’s impact is confined to information disclosure, though the knowledge gained can assist other attacks when combined with additional weaknesses.
OpenCVE Enrichment