CVE-2014-6394
high
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
7.5
Description
visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory.
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
Fedora Affected 3 releases
| Version | Status | Fixed in |
|---|---|---|
| 21 | Affected | โ |
| 20 | Affected | โ |
| 19 | Affected | โ |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 0.9.4-1 |
| sid | Fixed | 0.9.4-1 |
| forky | Fixed | 0.9.4-1 |
| bullseye | Fixed | 0.9.4-1 |
| bookworm | Fixed | 0.9.4-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| npm | send | <0.8.4 | 0.8.4 |
References
- http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html
- http://secunia.com/advisories/62170
- http://www-01.ibm.com/support/docview.wss?uid=swg21687263
- http://www.openwall.com/lists/oss-security/2014/09/24/1
- http://www.openwall.com/lists/oss-security/2014/09/30/10
- http://www.securityfocus.com/bid/70100
- https://bugzilla.redhat.com/show_bug.cgi?id=1146063
- https://exchange.xforce.ibmcloud.com/vulnerabilities/96727
- https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a
- https://github.com/visionmedia/send/pull/59
- https://nodesecurity.io/advisories/send-directory-traversal
- https://support.apple.com/HT205217
- https://nvd.nist.gov/vuln/detail/CVE-2014-6394
- https://github.com/advisories/GHSA-xwg4-93c6-3h42
- https://github.com/visionmedia/send
- https://www.npmjs.com/advisories/32
- https://security-tracker.debian.org/tracker/CVE-2014-6394
CWEs
CWE-22
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.