Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXh3ZzQtOTNjNi0zaDQy

Directory Traversal in send

Versions 0.8.3 and earlier of send are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory.

For example, static(_dirname + '/public') would allow access to _dirname + '/public-restricted'.

Recommendation

Update to version 0.8.4 or later.

Permalink: https://github.com/advisories/GHSA-xwg4-93c6-3h42
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXh3ZzQtOTNjNi0zaDQy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 6 years ago
Updated: over 1 year ago

Identifiers: GHSA-xwg4-93c6-3h42, CVE-2014-6394
References:

• https://nvd.nist.gov/vuln/detail/CVE-2014-6394
• https://github.com/visionmedia/send/pull/59
• https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a
• https://github.com/advisories/GHSA-xwg4-93c6-3h42
• https://www.npmjs.com/advisories/32
• https://bugzilla.redhat.com/show_bug.cgi?id=1146063
• https://exchange.xforce.ibmcloud.com/vulnerabilities/96727
• https://support.apple.com/HT205217
• http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html
• http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html
• http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html
• http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html
• http://secunia.com/advisories/62170
• http://www-01.ibm.com/support/docview.wss?uid=swg21687263
• http://www.openwall.com/lists/oss-security/2014/09/24/1
• http://www.openwall.com/lists/oss-security/2014/09/30/10
• http://www.securityfocus.com/bid/70100

Repository: https://github.com/visionmedia/send
Blast Radius: 0.0

Affected Packages