logo

Database

Lack of data validation - Path Traversal In send

Description

Directory Traversal in send Versions 0.8.3 and earlier of send are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory.

For example, static(_dirname + '/public') would allow access to _dirname + '/public-restricted'.

Recommendation

Update to version 0.8.4 or later.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2014-63942. NVD-2014-63943. OSV-2014-63944. OSV-DEBIAN-2014-63945. GHSA-xwg4-93c6-3h426. GCVE-2014-63947. SECURITY-TRACKER-CVE-2014-6394

References

1. https://github.com/visionmedia/send/pull/592. https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a3. https://bugzilla.redhat.com/show_bug.cgi?id=11460634. https://exchange.xforce.ibmcloud.com/vulnerabilities/967275. https://support.apple.com/HT2052176. https://www.npmjs.com/advisories/327. http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html8. http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html9. http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html10. http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html11. http://www-01.ibm.com/support/docview.wss?uid=swg2168726312. http://www.openwall.com/lists/oss-security/2014/09/24/113. http://www.openwall.com/lists/oss-security/2014/09/30/1014. http://www.securityfocus.com/bid/70100

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.