Vulnerability-Lookup

CVE-2014-6394 (GCVE-0-2014-6394)

Vulnerability from cvelistv5 – Published: 2014-10-08 17:00 – Updated: 2024-08-06 12:17

Summary

visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	http://secunia.com/advisories/62170	third-party-advisoryx_refsource_SECUNIA
	http://www.openwall.com/lists/oss-security/2014/0…	mailing-listx_refsource_MLIST
	https://bugzilla.redhat.com/show_bug.cgi?id=1146063	x_refsource_CONFIRM
	https://nodesecurity.io/advisories/send-directory…	x_refsource_MISC
	https://github.com/visionmedia/send/pull/59	x_refsource_MISC
	https://support.apple.com/HT205217	x_refsource_CONFIRM
	https://github.com/visionmedia/send/commit/9c6ca9…	x_refsource_CONFIRM
	http://lists.apple.com/archives/security-announce…	vendor-advisoryx_refsource_APPLE
	http://lists.fedoraproject.org/pipermail/package-…	vendor-advisoryx_refsource_FEDORA
	http://lists.fedoraproject.org/pipermail/package-…	vendor-advisoryx_refsource_FEDORA
	http://www.securityfocus.com/bid/70100	vdb-entryx_refsource_BID
	https://exchange.xforce.ibmcloud.com/vulnerabilit…	vdb-entryx_refsource_XF
	http://www-01.ibm.com/support/docview.wss?uid=swg…	x_refsource_CONFIRM
	http://lists.fedoraproject.org/pipermail/package-…	vendor-advisoryx_refsource_FEDORA
	http://www.openwall.com/lists/oss-security/2014/09/24/1	mailing-listx_refsource_MLIST

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T12:17:23.629Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "62170",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/62170"
          },
          {
            "name": "[oss-security] 20140924 Re: CVE request: various NodeJS module vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2014/09/30/10"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146063"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://nodesecurity.io/advisories/send-directory-traversal"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/visionmedia/send/pull/59"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.apple.com/HT205217"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a"
          },
          {
            "name": "APPLE-SA-2015-09-16-2",
            "tags": [
              "vendor-advisory",
              "x_refsource_APPLE",
              "x_transferred"
            ],
            "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html"
          },
          {
            "name": "FEDORA-2014-11495",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html"
          },
          {
            "name": "FEDORA-2014-11421",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html"
          },
          {
            "name": "70100",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/70100"
          },
          {
            "name": "nodejs-cve20146394-dir-traversal(96727)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96727"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21687263"
          },
          {
            "name": "FEDORA-2014-11289",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html"
          },
          {
            "name": "[oss-security] 20140924 CVE request: various NodeJS module vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2014/09/24/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2014-09-12T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using \"public-restricted\" under a \"public\" directory."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-07T15:57:01.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "62170",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/62170"
        },
        {
          "name": "[oss-security] 20140924 Re: CVE request: various NodeJS module vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2014/09/30/10"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146063"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://nodesecurity.io/advisories/send-directory-traversal"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/visionmedia/send/pull/59"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.apple.com/HT205217"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a"
        },
        {
          "name": "APPLE-SA-2015-09-16-2",
          "tags": [
            "vendor-advisory",
            "x_refsource_APPLE"
          ],
          "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html"
        },
        {
          "name": "FEDORA-2014-11495",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html"
        },
        {
          "name": "FEDORA-2014-11421",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html"
        },
        {
          "name": "70100",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/70100"
        },
        {
          "name": "nodejs-cve20146394-dir-traversal(96727)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96727"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21687263"
        },
        {
          "name": "FEDORA-2014-11289",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html"
        },
        {
          "name": "[oss-security] 20140924 CVE request: various NodeJS module vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2014/09/24/1"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2014-6394",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using \"public-restricted\" under a \"public\" directory."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "62170",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/62170"
            },
            {
              "name": "[oss-security] 20140924 Re: CVE request: various NodeJS module vulnerabilities",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2014/09/30/10"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1146063",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146063"
            },
            {
              "name": "https://nodesecurity.io/advisories/send-directory-traversal",
              "refsource": "MISC",
              "url": "https://nodesecurity.io/advisories/send-directory-traversal"
            },
            {
              "name": "https://github.com/visionmedia/send/pull/59",
              "refsource": "MISC",
              "url": "https://github.com/visionmedia/send/pull/59"
            },
            {
              "name": "https://support.apple.com/HT205217",
              "refsource": "CONFIRM",
              "url": "https://support.apple.com/HT205217"
            },
            {
              "name": "https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a",
              "refsource": "CONFIRM",
              "url": "https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a"
            },
            {
              "name": "APPLE-SA-2015-09-16-2",
              "refsource": "APPLE",
              "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html"
            },
            {
              "name": "FEDORA-2014-11495",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html"
            },
            {
              "name": "FEDORA-2014-11421",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html"
            },
            {
              "name": "70100",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/70100"
            },
            {
              "name": "nodejs-cve20146394-dir-traversal(96727)",
              "refsource": "XF",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96727"
            },
            {
              "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21687263",
              "refsource": "CONFIRM",
              "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21687263"
            },
            {
              "name": "FEDORA-2014-11289",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html"
            },
            {
              "name": "[oss-security] 20140924 CVE request: various NodeJS module vulnerabilities",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2014/09/24/1"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2014-6394",
    "datePublished": "2014-10-08T17:00:00.000Z",
    "dateReserved": "2014-09-15T00:00:00.000Z",
    "dateUpdated": "2024-08-06T12:17:23.629Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CERTFR-2015-AVI-399

Vulnerability from certfr_avis - Published: 2015-09-18 - Updated: 2015-09-18

De multiples vulnérabilités ont été corrigées dans Apple Xcode. Certaines d'entre elles permettent à un attaquant de provoquer un déni de service à distance, un contournement de la politique de sécurité et une atteinte à l'intégrité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Apple Xcode version antérieure à 7.0

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

FKIE_CVE-2014-6394

Vulnerability from fkie_nvd - Published: 2014-10-08 17:55 - Updated: 2025-04-12 10:46

Severity ?

Summary

References

URL	Tags
cve@mitre.org	http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html
cve@mitre.org	http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html
cve@mitre.org	http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html
cve@mitre.org	http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html
cve@mitre.org	http://secunia.com/advisories/62170
cve@mitre.org	http://www-01.ibm.com/support/docview.wss?uid=swg21687263
cve@mitre.org	http://www.openwall.com/lists/oss-security/2014/09/24/1
cve@mitre.org	http://www.openwall.com/lists/oss-security/2014/09/30/10
cve@mitre.org	http://www.securityfocus.com/bid/70100
cve@mitre.org	https://bugzilla.redhat.com/show_bug.cgi?id=1146063
cve@mitre.org	https://exchange.xforce.ibmcloud.com/vulnerabilities/96727
cve@mitre.org	https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a	Exploit
cve@mitre.org	https://github.com/visionmedia/send/pull/59
cve@mitre.org	https://nodesecurity.io/advisories/send-directory-traversal
cve@mitre.org	https://support.apple.com/HT205217
af854a3a-2127-422b-91ae-364da2661108	http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/62170
af854a3a-2127-422b-91ae-364da2661108	http://www-01.ibm.com/support/docview.wss?uid=swg21687263
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2014/09/24/1
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2014/09/30/10
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/70100
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=1146063
af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/96727
af854a3a-2127-422b-91ae-364da2661108	https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a	Exploit
af854a3a-2127-422b-91ae-364da2661108	https://github.com/visionmedia/send/pull/59
af854a3a-2127-422b-91ae-364da2661108	https://nodesecurity.io/advisories/send-directory-traversal
af854a3a-2127-422b-91ae-364da2661108	https://support.apple.com/HT205217

Impacted products

Vendor	Product	Version
fedoraproject	fedora	19
fedoraproject	fedora	20
fedoraproject	fedora	21
apple	xcode	7.0
joyent	node.js	*
joyent	node.js	0.8.0
joyent	node.js	0.8.1
joyent	node.js	0.8.2

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*",
              "matchCriteriaId": "5991814D-CA77-4C25-90D2-DB542B17E0AD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*",
              "matchCriteriaId": "FF47C9F0-D8DA-4B55-89EB-9B2C9383ADB9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*",
              "matchCriteriaId": "56BDB5A0-0839-4A20-A003-B8CD56F48171",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apple:xcode:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7344422F-F65A-4000-A9EF-8D323DA29011",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:joyent:node.js:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F2168E2D-854F-44A0-863E-58A51ECE9F78",
              "versionEndIncluding": "0.8.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:joyent:node.js:0.8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "3B65C3DA-0EA3-424B-A67E-CDCB423C747F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:joyent:node.js:0.8.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "AB17C294-7956-4A9B-94CC-E8F81F614AE7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:joyent:node.js:0.8.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "36889A97-34A0-4898-B374-0ED1C9DAA8F5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using \"public-restricted\" under a \"public\" directory."
    },
    {
      "lang": "es",
      "value": "visionmedia send anterior a 0.8.4 para Node.js utiliza una comparaci\u00f3n parcial para verificar si un directorio est\u00e1 dentro del root del documento, lo que permite a atacantes remotos acceder a directorios restringidos, tal y como fue demostrado mediante el uso de \u0027p\u00fablico restringido\u0027 bajo un directorio \u0027publico\u0027."
    }
  ],
  "id": "CVE-2014-6394",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2014-10-08T17:55:05.123",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/62170"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21687263"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.openwall.com/lists/oss-security/2014/09/24/1"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.openwall.com/lists/oss-security/2014/09/30/10"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/bid/70100"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146063"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96727"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit"
      ],
      "url": "https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/visionmedia/send/pull/59"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://nodesecurity.io/advisories/send-directory-traversal"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://support.apple.com/HT205217"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/62170"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21687263"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2014/09/24/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2014/09/30/10"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/70100"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146063"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96727"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/visionmedia/send/pull/59"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://nodesecurity.io/advisories/send-directory-traversal"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://support.apple.com/HT205217"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2014-6394

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2014-6394

Aliases

CVE-2014-6394

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2014-6394",
    "description": "visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using \"public-restricted\" under a \"public\" directory.",
    "id": "GSD-2014-6394",
    "references": [
      "https://www.suse.com/security/cve/CVE-2014-6394.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2014-6394"
      ],
      "details": "visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using \"public-restricted\" under a \"public\" directory.",
      "id": "GSD-2014-6394",
      "modified": "2023-12-13T01:22:50.017311Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2014-6394",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using \"public-restricted\" under a \"public\" directory."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "62170",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/62170"
          },
          {
            "name": "[oss-security] 20140924 Re: CVE request: various NodeJS module vulnerabilities",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2014/09/30/10"
          },
          {
            "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1146063",
            "refsource": "CONFIRM",
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146063"
          },
          {
            "name": "https://nodesecurity.io/advisories/send-directory-traversal",
            "refsource": "MISC",
            "url": "https://nodesecurity.io/advisories/send-directory-traversal"
          },
          {
            "name": "https://github.com/visionmedia/send/pull/59",
            "refsource": "MISC",
            "url": "https://github.com/visionmedia/send/pull/59"
          },
          {
            "name": "https://support.apple.com/HT205217",
            "refsource": "CONFIRM",
            "url": "https://support.apple.com/HT205217"
          },
          {
            "name": "https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a",
            "refsource": "CONFIRM",
            "url": "https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a"
          },
          {
            "name": "APPLE-SA-2015-09-16-2",
            "refsource": "APPLE",
            "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html"
          },
          {
            "name": "FEDORA-2014-11495",
            "refsource": "FEDORA",
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html"
          },
          {
            "name": "FEDORA-2014-11421",
            "refsource": "FEDORA",
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html"
          },
          {
            "name": "70100",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/70100"
          },
          {
            "name": "nodejs-cve20146394-dir-traversal(96727)",
            "refsource": "XF",
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96727"
          },
          {
            "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21687263",
            "refsource": "CONFIRM",
            "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21687263"
          },
          {
            "name": "FEDORA-2014-11289",
            "refsource": "FEDORA",
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html"
          },
          {
            "name": "[oss-security] 20140924 CVE request: various NodeJS module vulnerabilities",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2014/09/24/1"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c0.8.4",
          "affected_versions": "All versions before 0.8.4",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cwe_ids": [
            "CWE-1035",
            "CWE-22",
            "CWE-937"
          ],
          "date": "2021-09-22",
          "description": "visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using \"public-restricted\" under a \"public\" directory.",
          "fixed_versions": [
            "0.8.4"
          ],
          "identifier": "CVE-2014-6394",
          "identifiers": [
            "GHSA-xwg4-93c6-3h42",
            "CVE-2014-6394"
          ],
          "not_impacted": "All versions starting from 0.8.4",
          "package_slug": "npm/send",
          "pubdate": "2017-10-24",
          "solution": "Upgrade to version 0.8.4 or above.",
          "title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2014-6394",
            "https://github.com/visionmedia/send/pull/59",
            "https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a",
            "https://github.com/advisories/GHSA-xwg4-93c6-3h42",
            "https://www.npmjs.com/advisories/32",
            "https://bugzilla.redhat.com/show_bug.cgi?id=1146063",
            "https://exchange.xforce.ibmcloud.com/vulnerabilities/96727",
            "https://nodesecurity.io/advisories/send-directory-traversal",
            "https://support.apple.com/HT205217",
            "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html",
            "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html",
            "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html",
            "http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html",
            "http://secunia.com/advisories/62170",
            "http://www-01.ibm.com/support/docview.wss?uid=swg21687263",
            "http://www.openwall.com/lists/oss-security/2014/09/24/1",
            "http://www.openwall.com/lists/oss-security/2014/09/30/10",
            "http://www.securityfocus.com/bid/70100"
          ],
          "uuid": "9fc8d964-d282-4e96-a81a-338d5400de85"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apple:xcode:7.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:joyent:node.js:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "0.8.3",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:joyent:node.js:0.8.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:joyent:node.js:0.8.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:joyent:node.js:0.8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2014-6394"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using \"public-restricted\" under a \"public\" directory."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-22"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/visionmedia/send/pull/59",
              "refsource": "MISC",
              "tags": [],
              "url": "https://github.com/visionmedia/send/pull/59"
            },
            {
              "name": "[oss-security] 20140924 CVE request: various NodeJS module vulnerabilities",
              "refsource": "MLIST",
              "tags": [],
              "url": "http://www.openwall.com/lists/oss-security/2014/09/24/1"
            },
            {
              "name": "70100",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/70100"
            },
            {
              "name": "FEDORA-2014-11289",
              "refsource": "FEDORA",
              "tags": [],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html"
            },
            {
              "name": "FEDORA-2014-11421",
              "refsource": "FEDORA",
              "tags": [],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html"
            },
            {
              "name": "https://nodesecurity.io/advisories/send-directory-traversal",
              "refsource": "MISC",
              "tags": [],
              "url": "https://nodesecurity.io/advisories/send-directory-traversal"
            },
            {
              "name": "https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit"
              ],
              "url": "https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1146063",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146063"
            },
            {
              "name": "FEDORA-2014-11495",
              "refsource": "FEDORA",
              "tags": [],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html"
            },
            {
              "name": "[oss-security] 20140924 Re: CVE request: various NodeJS module vulnerabilities",
              "refsource": "MLIST",
              "tags": [],
              "url": "http://www.openwall.com/lists/oss-security/2014/09/30/10"
            },
            {
              "name": "APPLE-SA-2015-09-16-2",
              "refsource": "APPLE",
              "tags": [],
              "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html"
            },
            {
              "name": "https://support.apple.com/HT205217",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "https://support.apple.com/HT205217"
            },
            {
              "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21687263",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21687263"
            },
            {
              "name": "62170",
              "refsource": "SECUNIA",
              "tags": [],
              "url": "http://secunia.com/advisories/62170"
            },
            {
              "name": "nodejs-cve20146394-dir-traversal(96727)",
              "refsource": "XF",
              "tags": [],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96727"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2017-09-08T01:29Z",
      "publishedDate": "2014-10-08T17:55Z"
    }
  }
}

GHSA-XWG4-93C6-3H42

Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2021-09-22 17:58

Summary

Directory Traversal in send

Details

Versions 0.8.3 and earlier of send are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory.

For example, static(_dirname + '/public') would allow access to _dirname + '/public-restricted'.

Recommendation

Update to version 0.8.4 or later.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "send"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2014-6394"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T22:04:41Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "Versions 0.8.3 and earlier of `send` are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory. \n\nFor example, `static(_dirname + \u0027/public\u0027)` would allow access to `_dirname + \u0027/public-restricted\u0027`.\n\n\n## Recommendation\n\nUpdate to version 0.8.4 or later.",
  "id": "GHSA-xwg4-93c6-3h42",
  "modified": "2021-09-22T17:58:56Z",
  "published": "2017-10-24T18:33:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-6394"
    },
    {
      "type": "WEB",
      "url": "https://github.com/visionmedia/send/pull/59"
    },
    {
      "type": "WEB",
      "url": "https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146063"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96727"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-xwg4-93c6-3h42"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/visionmedia/send"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT205217"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/32"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/62170"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21687263"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/09/24/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/09/30/10"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/70100"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Directory Traversal in send"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2014-6394 (GCVE-0-2014-6394)

CERTFR-2015-AVI-399

Solution

FKIE_CVE-2014-6394

GSD-2014-6394

GHSA-XWG4-93C6-3H42

Recommendation

Tags

Sightings

Nomenclature