CVE-2014-6394Path Traversal in Project Send

CWE-22Path Traversal9 documents8 sources
Severity
7.5HIGHNVD
EPSS
4.8%
top 10.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Send Project SendJoyent Node.jsApple Xcode+1 more
Timeline
PublishedOct 8
Latest updateOct 24

Description

visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

npmsend_project/send< 0.8.4
NVDjoyent/node.js0.8.3+3
NVDapple/xcode7.0

Also affects: Fedora 19, 20, 21

🔴Vulnerability Details

4
OSV
Directory Traversal in send2017-10-24
GHSA
Directory Traversal in send2017-10-24
CVEList
CVE-2014-6394: visionmedia send before 02014-10-08
OSV
CVE-2014-6394: visionmedia send before 02014-10-08

📋Vendor Advisories

3
Red Hat
nodejs-send: directory traversal vulnerability2014-09-12
Debian
CVE-2014-6394: node-send - visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifyin...2014
Apple
CVE-2014-6394: Xcode 7.0

💬Community

1
Bugzilla
CVE-2014-6394 nodejs-send: directory traversal vulnerability2014-09-24
CVE-2014-6394 — Path Traversal in Send Project Send | cvebase