visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Apple
  • Xcode
Fedoraproject
  • Fedora
Joyent
  • Node.js

Configuration 1 [-]

OR cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:apple:xcode:7.0:*:*:*:*:*:*:*

Configuration 3 [-]

OR cpe:2.3:a:joyent:node.js:*:*:*:*:*:*:*:*
cpe:2.3:a:joyent:node.js:0.8.0:*:*:*:*:*:*:*
cpe:2.3:a:joyent:node.js:0.8.1:*:*:*:*:*:*:*
cpe:2.3:a:joyent:node.js:0.8.2:*:*:*:*:*:*:*

No data.

References
Link Providers
http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html cve-icon cve-icon
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html cve-icon cve-icon
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html cve-icon cve-icon
http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html cve-icon cve-icon
http://secunia.com/advisories/62170 cve-icon cve-icon
http://www-01.ibm.com/support/docview.wss?uid=swg21687263 cve-icon cve-icon
http://www.openwall.com/lists/oss-security/2014/09/24/1 cve-icon cve-icon
http://www.openwall.com/lists/oss-security/2014/09/30/10 cve-icon cve-icon
http://www.securityfocus.com/bid/70100 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=1146063 cve-icon cve-icon
https://exchange.xforce.ibmcloud.com/vulnerabilities/96727 cve-icon cve-icon
https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a cve-icon cve-icon
https://github.com/visionmedia/send/pull/59 cve-icon cve-icon
https://nodesecurity.io/advisories/send-directory-traversal cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2014-6394 cve-icon
https://support.apple.com/HT205217 cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2014-6394 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-10-08T17:00:00

Updated: 2024-08-06T12:17:23.629Z

Reserved: 2014-09-15T00:00:00

Link: CVE-2014-6394

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2014-10-08T17:55:05.123

Modified: 2017-09-08T01:29:14.403

Link: CVE-2014-6394

cve-icon Redhat

Severity : Low

Publid Date: 2014-09-12T00:00:00Z

Links: CVE-2014-6394 - Bugzilla