Debian Node-Send vulnerabilities

CVE-2014-6394 [HIGH] CVE-2014-6394: node-send - visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifyin... visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory. Scope: local bookworm: resolved (fixed in 0.9.4-1) bullseye: resolved (fixed in 0.9.4-1) forky: resolve

CVE-2015-8859 [MEDIUM] CVE-2015-8859: node-send - The send package before 0.11.1 for Node.js allows attackers to obtain the root p... The send package before 0.11.1 for Node.js allows attackers to obtain the root path via unspecified vectors. Scope: local bookworm: resolved (fixed in 0.16.2-1) bullseye: resolved (fixed in 0.16.2-1) forky: resolved (fixed in 0.16.2-1) sid: resolved (fixed in 0.16.2-1) trixie: resolved (fixed in 0.16.2-1)

CVE-2024-43799 [MEDIUM] CVE-2024-43799: node-send - Send is a library for streaming files from the file system as a http response. S... Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0. Scope: local bookworm: resolved (fixed in 0.18.0+~cs1.19.1-3+deb12u1) bullseye: resolved (fixed in 0.17.1-2+deb11u1) forky: resolved (fixed in 1.1.0+~cs1.19.4