This affects all versions of package droppy. It is possible to traverse directories to fetch configuration files from a droopy server.