Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWpncWYtaHdjNS1oaDM3
Root Path Disclosure in send
Versions of send prior to 0.11.2 are affected by an information leakage vulnerability which may allow an attacker to enumerate paths on the server filesystem.
Recommendation
Update to version 0.11.1 or later.
Permalink: https://github.com/advisories/GHSA-jgqf-hwc5-hh37JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWpncWYtaHdjNS1oaDM3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 6 years ago
Updated: 6 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-jgqf-hwc5-hh37, CVE-2015-8859
References:
- https://nvd.nist.gov/vuln/detail/CVE-2015-8859
- https://github.com/pillarjs/send/pull/70
- https://github.com/expressjs/serve-static/blob/master/HISTORY.md#181--2015-01-20
- http://www.openwall.com/lists/oss-security/2016/04/20/11
- https://github.com/pillarjs/send/commit/98a5b89982b38e79db684177cf94730ce7fc7aed
- https://web.archive.org/web/20200227192016/https://www.securityfocus.com/bid/96435/
- https://github.com/advisories/GHSA-jgqf-hwc5-hh37
Blast Radius: 35.5
Affected Packages
npm:send
Dependent packages: 2,106Dependent repositories: 4,993,661
Downloads: 126,382,574 last month
Affected Version Ranges: < 0.11.1
Fixed in: 0.11.1
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.2.0, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 0.6.0, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.10.0, 0.10.1, 0.11.0
All unaffected versions: 0.11.1, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.13.0, 0.13.1, 0.13.2, 0.14.0, 0.14.1, 0.14.2, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.15.5, 0.15.6, 0.16.0, 0.16.1, 0.16.2, 0.17.0, 0.17.1, 0.17.2, 0.18.0