CVE-2014-6394 – send

Package

Manager: npm
Name: send
Vulnerable Version: >=0 <0.8.4

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.04842 pctl0.89116

Details

Directory Traversal in send Versions 0.8.3 and earlier of `send` are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory. For example, `static(_dirname + '/public')` would allow access to `_dirname + '/public-restricted'`. ## Recommendation Update to version 0.8.4 or later.

Metadata

Created: 2017-10-24T18:33:36Z
Modified: 2021-09-22T17:58:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-xwg4-93c6-3h42/GHSA-xwg4-93c6-3h42.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-xwg4-93c6-3h42
Finding: F063
Auto approve: 1