CVE-2014-6394
EPSS 4.8%Directory Traversal in send
Published: 10/24/2017Modified: 11/8/2023
Description
Versions 0.8.3 and earlier of `send` are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory. For example, `static(_dirname + '/public')` would allow access to `_dirname + '/public-restricted'`. ## Recommendation Update to version 0.8.4 or later.
Affected packages (2)
- Debian/node-sendfrom 0, < 0.9.4-1
- npm/sendfrom 0, < 0.8.4
References (19)
- ADVISORYhttps://github.com/advisories/GHSA-xwg4-93c6-3h42
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2014-6394
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2014-6394
- PATCHhttps://github.com/visionmedia/send
- WEBhttp://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html
- WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html
- WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html
- WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=1146063
- WEBhttp://secunia.com/advisories/62170
- WEBhttps://exchange.xforce.ibmcloud.com/vulnerabilities/96727
- WEBhttps://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a
- WEBhttps://github.com/visionmedia/send/pull/59
- WEBhttps://support.apple.com/HT205217
- WEBhttps://www.npmjs.com/advisories/32
- WEBhttp://www-01.ibm.com/support/docview.wss?uid=swg21687263
- WEBhttp://www.openwall.com/lists/oss-security/2014/09/24/1
- WEBhttp://www.openwall.com/lists/oss-security/2014/09/30/10
- WEBhttp://www.securityfocus.com/bid/70100