cvelistv5 - CVE-2014-6394

CVE-2014-6394 (GCVE-0-2014-6394)

Vulnerability from cvelistv5

Published

2014-10-08 17:00

Modified

2024-08-06 12:17

Severity ?

CWE

Summary

References

URL

Tags

cve@mitre.org	http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html
cve@mitre.org	http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html
cve@mitre.org	http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html
cve@mitre.org	http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html
cve@mitre.org	http://secunia.com/advisories/62170
cve@mitre.org	http://www-01.ibm.com/support/docview.wss?uid=swg21687263
cve@mitre.org	http://www.openwall.com/lists/oss-security/2014/09/24/1
cve@mitre.org	http://www.openwall.com/lists/oss-security/2014/09/30/10
cve@mitre.org	http://www.securityfocus.com/bid/70100
cve@mitre.org	https://bugzilla.redhat.com/show_bug.cgi?id=1146063
cve@mitre.org	https://exchange.xforce.ibmcloud.com/vulnerabilities/96727
cve@mitre.org	https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a	Exploit
cve@mitre.org	https://github.com/visionmedia/send/pull/59
cve@mitre.org	https://nodesecurity.io/advisories/send-directory-traversal
cve@mitre.org	https://support.apple.com/HT205217
af854a3a-2127-422b-91ae-364da2661108	http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/62170
af854a3a-2127-422b-91ae-364da2661108	http://www-01.ibm.com/support/docview.wss?uid=swg21687263
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2014/09/24/1
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2014/09/30/10
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/70100
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=1146063
af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/96727
af854a3a-2127-422b-91ae-364da2661108	https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a	Exploit
af854a3a-2127-422b-91ae-364da2661108	https://github.com/visionmedia/send/pull/59
af854a3a-2127-422b-91ae-364da2661108	https://nodesecurity.io/advisories/send-directory-traversal
af854a3a-2127-422b-91ae-364da2661108	https://support.apple.com/HT205217

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T12:17:23.629Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "62170",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/62170"
          },
          {
            "name": "[oss-security] 20140924 Re: CVE request: various NodeJS module vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2014/09/30/10"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146063"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://nodesecurity.io/advisories/send-directory-traversal"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/visionmedia/send/pull/59"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.apple.com/HT205217"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a"
          },
          {
            "name": "APPLE-SA-2015-09-16-2",
            "tags": [
              "vendor-advisory",
              "x_refsource_APPLE",
              "x_transferred"
            ],
            "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html"
          },
          {
            "name": "FEDORA-2014-11495",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html"
          },
          {
            "name": "FEDORA-2014-11421",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html"
          },
          {
            "name": "70100",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/70100"
          },
          {
            "name": "nodejs-cve20146394-dir-traversal(96727)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96727"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21687263"
          },
          {
            "name": "FEDORA-2014-11289",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html"
          },
          {
            "name": "[oss-security] 20140924 CVE request: various NodeJS module vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2014/09/24/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2014-09-12T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using \"public-restricted\" under a \"public\" directory."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-07T15:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "62170",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/62170"
        },
        {
          "name": "[oss-security] 20140924 Re: CVE request: various NodeJS module vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2014/09/30/10"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146063"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://nodesecurity.io/advisories/send-directory-traversal"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/visionmedia/send/pull/59"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.apple.com/HT205217"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a"
        },
        {
          "name": "APPLE-SA-2015-09-16-2",
          "tags": [
            "vendor-advisory",
            "x_refsource_APPLE"
          ],
          "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html"
        },
        {
          "name": "FEDORA-2014-11495",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html"
        },
        {
          "name": "FEDORA-2014-11421",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html"
        },
        {
          "name": "70100",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/70100"
        },
        {
          "name": "nodejs-cve20146394-dir-traversal(96727)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96727"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21687263"
        },
        {
          "name": "FEDORA-2014-11289",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html"
        },
        {
          "name": "[oss-security] 20140924 CVE request: various NodeJS module vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2014/09/24/1"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2014-6394",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using \"public-restricted\" under a \"public\" directory."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "62170",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/62170"
            },
            {
              "name": "[oss-security] 20140924 Re: CVE request: various NodeJS module vulnerabilities",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2014/09/30/10"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1146063",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146063"
            },
            {
              "name": "https://nodesecurity.io/advisories/send-directory-traversal",
              "refsource": "MISC",
              "url": "https://nodesecurity.io/advisories/send-directory-traversal"
            },
            {
              "name": "https://github.com/visionmedia/send/pull/59",
              "refsource": "MISC",
              "url": "https://github.com/visionmedia/send/pull/59"
            },
            {
              "name": "https://support.apple.com/HT205217",
              "refsource": "CONFIRM",
              "url": "https://support.apple.com/HT205217"
            },
            {
              "name": "https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a",
              "refsource": "CONFIRM",
              "url": "https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a"
            },
            {
              "name": "APPLE-SA-2015-09-16-2",
              "refsource": "APPLE",
              "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html"
            },
            {
              "name": "FEDORA-2014-11495",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html"
            },
            {
              "name": "FEDORA-2014-11421",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html"
            },
            {
              "name": "70100",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/70100"
            },
            {
              "name": "nodejs-cve20146394-dir-traversal(96727)",
              "refsource": "XF",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96727"
            },
            {
              "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21687263",
              "refsource": "CONFIRM",
              "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21687263"
            },
            {
              "name": "FEDORA-2014-11289",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html"
            },
            {
              "name": "[oss-security] 20140924 CVE request: various NodeJS module vulnerabilities",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2014/09/24/1"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2014-6394",
    "datePublished": "2014-10-08T17:00:00",
    "dateReserved": "2014-09-15T00:00:00",
    "dateUpdated": "2024-08-06T12:17:23.629Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2014-6394\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2014-10-08T17:55:05.123\",\"lastModified\":\"2025-04-12T10:46:40.837\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using \\\"public-restricted\\\" under a \\\"public\\\" directory.\"},{\"lang\":\"es\",\"value\":\"visionmedia send anterior a 0.8.4 para Node.js utiliza una comparaci\u00f3n parcial para verificar si un directorio est\u00e1 dentro del root del documento, lo que permite a atacantes remotos acceder a directorios restringidos, tal y como fue demostrado mediante el uso de \u0027p\u00fablico restringido\u0027 bajo un directorio \u0027publico\u0027.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5991814D-CA77-4C25-90D2-DB542B17E0AD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FF47C9F0-D8DA-4B55-89EB-9B2C9383ADB9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"56BDB5A0-0839-4A20-A003-B8CD56F48171\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:xcode:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7344422F-F65A-4000-A9EF-8D323DA29011\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:joyent:node.js:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"0.8.3\",\"matchCriteriaId\":\"F2168E2D-854F-44A0-863E-58A51ECE9F78\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:joyent:node.js:0.8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3B65C3DA-0EA3-424B-A67E-CDCB423C747F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:joyent:node.js:0.8.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AB17C294-7956-4A9B-94CC-E8F81F614AE7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:joyent:node.js:0.8.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"36889A97-34A0-4898-B374-0ED1C9DAA8F5\"}]}]}],\"references\":[{\"url\":\"http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/62170\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21687263\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2014/09/24/1\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2014/09/30/10\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/70100\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1146063\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/96727\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\"]},{\"url\":\"https://github.com/visionmedia/send/pull/59\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://nodesecurity.io/advisories/send-directory-traversal\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://support.apple.com/HT205217\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/62170\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21687263\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2014/09/24/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2014/09/30/10\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/70100\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1146063\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/96727\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\"]},{\"url\":\"https://github.com/visionmedia/send/pull/59\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://nodesecurity.io/advisories/send-directory-traversal\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://support.apple.com/HT205217\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

fkie_cve-2014-6394

Vulnerability from fkie_nvd

Published

2014-10-08 17:55

Modified

2025-04-12 10:46

Severity ?

Summary

References

URL	Tags
cve@mitre.org	http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html
cve@mitre.org	http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html
cve@mitre.org	http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html
cve@mitre.org	http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html
cve@mitre.org	http://secunia.com/advisories/62170
cve@mitre.org	http://www-01.ibm.com/support/docview.wss?uid=swg21687263
cve@mitre.org	http://www.openwall.com/lists/oss-security/2014/09/24/1
cve@mitre.org	http://www.openwall.com/lists/oss-security/2014/09/30/10
cve@mitre.org	http://www.securityfocus.com/bid/70100
cve@mitre.org	https://bugzilla.redhat.com/show_bug.cgi?id=1146063
cve@mitre.org	https://exchange.xforce.ibmcloud.com/vulnerabilities/96727
cve@mitre.org	https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a	Exploit
cve@mitre.org	https://github.com/visionmedia/send/pull/59
cve@mitre.org	https://nodesecurity.io/advisories/send-directory-traversal
cve@mitre.org	https://support.apple.com/HT205217
af854a3a-2127-422b-91ae-364da2661108	http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/62170
af854a3a-2127-422b-91ae-364da2661108	http://www-01.ibm.com/support/docview.wss?uid=swg21687263
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2014/09/24/1
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2014/09/30/10
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/70100
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=1146063
af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/96727
af854a3a-2127-422b-91ae-364da2661108	https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a	Exploit
af854a3a-2127-422b-91ae-364da2661108	https://github.com/visionmedia/send/pull/59
af854a3a-2127-422b-91ae-364da2661108	https://nodesecurity.io/advisories/send-directory-traversal
af854a3a-2127-422b-91ae-364da2661108	https://support.apple.com/HT205217

Impacted products

Vendor	Product	Version
fedoraproject	fedora	19
fedoraproject	fedora	20
fedoraproject	fedora	21
apple	xcode	7.0
joyent	node.js	*
joyent	node.js	0.8.0
joyent	node.js	0.8.1
joyent	node.js	0.8.2

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*",
              "matchCriteriaId": "5991814D-CA77-4C25-90D2-DB542B17E0AD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*",
              "matchCriteriaId": "FF47C9F0-D8DA-4B55-89EB-9B2C9383ADB9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*",
              "matchCriteriaId": "56BDB5A0-0839-4A20-A003-B8CD56F48171",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apple:xcode:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7344422F-F65A-4000-A9EF-8D323DA29011",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:joyent:node.js:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F2168E2D-854F-44A0-863E-58A51ECE9F78",
              "versionEndIncluding": "0.8.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:joyent:node.js:0.8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "3B65C3DA-0EA3-424B-A67E-CDCB423C747F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:joyent:node.js:0.8.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "AB17C294-7956-4A9B-94CC-E8F81F614AE7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:joyent:node.js:0.8.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "36889A97-34A0-4898-B374-0ED1C9DAA8F5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using \"public-restricted\" under a \"public\" directory."
    },
    {
      "lang": "es",
      "value": "visionmedia send anterior a 0.8.4 para Node.js utiliza una comparaci\u00f3n parcial para verificar si un directorio est\u00e1 dentro del root del documento, lo que permite a atacantes remotos acceder a directorios restringidos, tal y como fue demostrado mediante el uso de \u0027p\u00fablico restringido\u0027 bajo un directorio \u0027publico\u0027."
    }
  ],
  "id": "CVE-2014-6394",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2014-10-08T17:55:05.123",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/62170"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21687263"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.openwall.com/lists/oss-security/2014/09/24/1"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.openwall.com/lists/oss-security/2014/09/30/10"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/bid/70100"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146063"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96727"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit"
      ],
      "url": "https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/visionmedia/send/pull/59"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://nodesecurity.io/advisories/send-directory-traversal"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://support.apple.com/HT205217"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/62170"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21687263"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2014/09/24/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2014/09/30/10"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/70100"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146063"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96727"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/visionmedia/send/pull/59"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://nodesecurity.io/advisories/send-directory-traversal"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://support.apple.com/HT205217"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory. Node.js is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input. Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to create or overwrite arbitrary files in the context of the application. This may aid in further attacks. Versions prior to Node.js 0.8.4 are vulnerable. Joyent Node.js is a set of network application platforms built on the Google V8 JavaScript engine by the American Joyent company. The platform is mainly used to build highly scalable applications and write connection code that can handle tens of thousands of connections to a physical machine at the same time. A remote attacker could exploit this vulnerability to access restricted directories. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

APPLE-SA-2015-09-16-2 Xcode 7.0

Xcode 7.0 is now available and addresses the following:

DevTools Available for: OS X Yosemite v10.10.4 or later Impact: An attacker may be able to bypass access restrictions Description: An API issue existed in the apache configuration. This issue was addressed by updating header files to use the latest version. CVE-ID CVE-2015-3185 : Branko Aibej of the Apache Software Foundation

IDE Xcode Server Available for: OS X Yosemite 10.10 or later Impact: An attacker may be able to access restricted parts of the filesystem Description: A comparison issue existed in the node.js send module prior to version 0.8.4. This issue was addressed by upgrading to version 0.12.3. CVE-ID CVE-2014-6394 : Ilya Kantor

IDE Xcode Server Available for: OS X Yosemite v10.10.4 or later Impact: Multiple vulnerabilties in OpenSSL Description: Multiple vulnerabilties existed in the node.js OpenSSL module prior to version 1.0.1j. These issues were addressed by updating openssl to version 1.0.1j. CVE-ID CVE-2014-3513 CVE-2014-3566 CVE-2014-3567 CVE-2014-3568

IDE Xcode Server Available for: OS X Yosemite v10.10.4 or later Impact: An attacker with a privileged network position may be able to inspect traffic to Xcode Server Description: Connections to Xcode Server may have been made without encryption. This issue was addressed through improved network connection logic. CVE-ID CVE-2015-5910 : an anonymous researcher

IDE Xcode Server Available for: OS X Yosemite v10.10.4 or later Impact: Build notifications may be sent to unintended recipients Description: An access issue existed in the handling of repository email lists. This issue was addressed through improved validation. CVE-ID CVE-2015-5909 : Daniel Tomlinson of Rocket Apps, David Gatwood of Anchorfree

subversion Available for: OS X Yosemite v10.10.4 or later Impact: Multiple vulnerabilities existed in svn versions prior to 1.7.19 Description: Multiple vulnerabilities existed in svn versions prior to 1.7.19. These issues were addressed by updating svn to version 1.7.20. CVE-ID CVE-2015-0248 CVE-2015-0251

Xcode 7.0 may be obtained from: https://developer.apple.com/xcode/downloads/

To check that the Xcode has been updated:

Select Xcode in the menu bar
Select About Xcode
The version after applying this update will be "7.0".

Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV+axlAAoJEBcWfLTuOo7tzuMQAJhCQaeClT0rDozh+WlKgM6f X86xFeXLJ1gjlPKH183Bvm2gTW0m5kQuoNK1grarMB+rEeb8mPsOczwrIJisxVlr 5zkW/7JktHcsBU5vUa4j4T/CEJjp92VPZ4ub3k3eQOrhinn4E86uKcMxrYoQOAE0 YFMSDaPBFy+LIJ08ROB/AH8fkGJMLRCRAp43IGgzNuxCDx9jzW97m1dh86mR1CxP GdhWRvN7T5YqXyJTw6pZbEHtVXjty8appe2ScvHByCRxa4gZq+/JinHInLjaB4p7 3o58rAWh7lDhcEi3HqkIu0YW6fLslPydCHTI4cH1PCHTuevNjjvK34IqMbD0jG/t tO+vQFhwXpD5chsSB2oP2zLOWAJ7BA5uwvArkJhGKKzQ5DEI0soLBWG7Koe3RitO HokIMyx0r+sf4YD+OP4RVPU9bU4FpayXZnECmHzWmK2vguihbIzjxq+Knvx7aiF9 js1Qn0DxT2puVYdhixtkvYKT7r8XRjI8MPLEwS+tX1Yg1Lqhz2G1MR6mO9iBW56L g5deOuCVc56qeaobuUK0clvdFYtyd5jIXgh0zspZ4ssCbbdCOTZUQaG1mBGkIf3R JgWTX8ny1Fdk9om3dmZVWUCzzqxJR/tm5M7kjGc425ZGaoBRWLga1VIjNz7MEfKS YMBNmqt6weEewNqyDMnX =SGgX -----END PGP SIGNATURE-----

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201410-0935",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "fedora",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "fedoraproject",
        "version": "20"
      },
      {
        "model": "fedora",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "fedoraproject",
        "version": "21"
      },
      {
        "model": "fedora",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "fedoraproject",
        "version": "19"
      },
      {
        "model": "node.js",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "joyent",
        "version": "0.8.2"
      },
      {
        "model": "node.js",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "joyent",
        "version": "0.8.0"
      },
      {
        "model": "node.js",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "joyent",
        "version": "0.8.3"
      },
      {
        "model": "node.js",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "joyent",
        "version": "0.8.1"
      },
      {
        "model": "xcode",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "7.0"
      },
      {
        "model": "node.js",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "node js",
        "version": "0.8.4"
      },
      {
        "model": "xcode",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "apple",
        "version": "7.0   (os x yosemite v10.10.4 or later )"
      },
      {
        "model": "xcode",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "2.4.1"
      },
      {
        "model": "xcode",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "3.1"
      },
      {
        "model": "xcode",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "3.0"
      },
      {
        "model": "xcode",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "2.3"
      },
      {
        "model": "xcode",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "2.2"
      },
      {
        "model": "xcode",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "2.1"
      },
      {
        "model": "xcode",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "2.0"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "70100"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-004624"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201410-165"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-6394"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/a:nodejs:node.js",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/a:apple:xcode",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-004624"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Ilya Kantor",
    "sources": [
      {
        "db": "BID",
        "id": "70100"
      }
    ],
    "trust": 0.3
  },
  "cve": "CVE-2014-6394",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "CVE-2014-6394",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 1.8,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "VHN-74338",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2014-6394",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "NVD",
            "id": "CVE-2014-6394",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201410-165",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "VULHUB",
            "id": "VHN-74338",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-74338"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-004624"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201410-165"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-6394"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using \"public-restricted\" under a \"public\" directory. Node.js is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input. \nRemote attackers can use specially crafted requests with directory-traversal sequences (\u0027../\u0027) to create or overwrite arbitrary files in the context of the application. This may aid in further attacks. \nVersions prior to Node.js 0.8.4 are vulnerable. Joyent Node.js is a set of network application platforms built on the Google V8 JavaScript engine by the American Joyent company. The platform is mainly used to build highly scalable applications and write connection code that can handle tens of thousands of connections to a physical machine at the same time. A remote attacker could exploit this vulnerability to access restricted directories. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nAPPLE-SA-2015-09-16-2 Xcode 7.0\n\nXcode 7.0 is now available and addresses the following:\n\nDevTools\nAvailable for:  OS X Yosemite v10.10.4 or later\nImpact:  An attacker may be able to bypass access restrictions\nDescription:  An API issue existed in the apache configuration. This\nissue was addressed by updating header files to use the latest\nversion. \nCVE-ID\nCVE-2015-3185 : Branko Aibej of the Apache Software Foundation\n\nIDE Xcode Server\nAvailable for:  OS X Yosemite 10.10 or later\nImpact:  An attacker may be able to access restricted parts of the\nfilesystem\nDescription:  A comparison issue existed in the node.js send module\nprior to version 0.8.4. This issue was addressed by upgrading to\nversion 0.12.3. \nCVE-ID\nCVE-2014-6394 : Ilya Kantor\n\nIDE Xcode Server\nAvailable for:  OS X Yosemite v10.10.4 or later\nImpact:  Multiple vulnerabilties in OpenSSL\nDescription:  Multiple vulnerabilties existed in the node.js OpenSSL\nmodule prior to version 1.0.1j. These issues were addressed by\nupdating openssl to version 1.0.1j. \nCVE-ID\nCVE-2014-3513\nCVE-2014-3566\nCVE-2014-3567\nCVE-2014-3568\n\nIDE Xcode Server\nAvailable for:  OS X Yosemite v10.10.4 or later\nImpact:  An attacker with a privileged network position may be able\nto inspect traffic to Xcode Server\nDescription:  Connections to Xcode Server may have been made without\nencryption. This issue was addressed through improved network\nconnection logic. \nCVE-ID\nCVE-2015-5910 : an anonymous researcher\n\nIDE Xcode Server\nAvailable for:  OS X Yosemite v10.10.4 or later\nImpact:  Build notifications may be sent to unintended recipients\nDescription:  An access issue existed in the handling of repository\nemail lists. This issue was addressed through improved validation. \nCVE-ID\nCVE-2015-5909 : Daniel Tomlinson of Rocket Apps, David Gatwood of\nAnchorfree\n\nsubversion\nAvailable for:  OS X Yosemite v10.10.4 or later\nImpact:  Multiple vulnerabilities existed in svn versions prior to\n1.7.19\nDescription:  Multiple vulnerabilities existed in svn versions prior\nto 1.7.19. These issues were addressed by updating svn to version\n1.7.20. \nCVE-ID\nCVE-2015-0248\nCVE-2015-0251\n\n\nXcode 7.0 may be obtained from:\nhttps://developer.apple.com/xcode/downloads/\n\nTo check that the Xcode has been updated:\n\n* Select Xcode in the menu bar\n* Select About Xcode\n* The version after applying this update will be \"7.0\". \n\nInformation will also be posted to the Apple Security Updates\nweb site: https://support.apple.com/kb/HT201222\n\nThis message is signed with Apple\u0027s Product Security PGP key,\nand details are available at:\nhttps://www.apple.com/support/security/pgp/\n\n-----BEGIN PGP SIGNATURE-----\nComment: GPGTools - http://gpgtools.org\n\niQIcBAEBCAAGBQJV+axlAAoJEBcWfLTuOo7tzuMQAJhCQaeClT0rDozh+WlKgM6f\nX86xFeXLJ1gjlPKH183Bvm2gTW0m5kQuoNK1grarMB+rEeb8mPsOczwrIJisxVlr\n5zkW/7JktHcsBU5vUa4j4T/CEJjp92VPZ4ub3k3eQOrhinn4E86uKcMxrYoQOAE0\nYFMSDaPBFy+LIJ08ROB/AH8fkGJMLRCRAp43IGgzNuxCDx9jzW97m1dh86mR1CxP\nGdhWRvN7T5YqXyJTw6pZbEHtVXjty8appe2ScvHByCRxa4gZq+/JinHInLjaB4p7\n3o58rAWh7lDhcEi3HqkIu0YW6fLslPydCHTI4cH1PCHTuevNjjvK34IqMbD0jG/t\ntO+vQFhwXpD5chsSB2oP2zLOWAJ7BA5uwvArkJhGKKzQ5DEI0soLBWG7Koe3RitO\nHokIMyx0r+sf4YD+OP4RVPU9bU4FpayXZnECmHzWmK2vguihbIzjxq+Knvx7aiF9\njs1Qn0DxT2puVYdhixtkvYKT7r8XRjI8MPLEwS+tX1Yg1Lqhz2G1MR6mO9iBW56L\ng5deOuCVc56qeaobuUK0clvdFYtyd5jIXgh0zspZ4ssCbbdCOTZUQaG1mBGkIf3R\nJgWTX8ny1Fdk9om3dmZVWUCzzqxJR/tm5M7kjGc425ZGaoBRWLga1VIjNz7MEfKS\nYMBNmqt6weEewNqyDMnX\n=SGgX\n-----END PGP SIGNATURE-----\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2014-6394"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-004624"
      },
      {
        "db": "BID",
        "id": "70100"
      },
      {
        "db": "VULHUB",
        "id": "VHN-74338"
      },
      {
        "db": "PACKETSTORM",
        "id": "133617"
      }
    ],
    "trust": 2.07
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2014-6394",
        "trust": 2.9
      },
      {
        "db": "BID",
        "id": "70100",
        "trust": 1.4
      },
      {
        "db": "OPENWALL",
        "id": "OSS-SECURITY/2014/09/30/10",
        "trust": 1.1
      },
      {
        "db": "OPENWALL",
        "id": "OSS-SECURITY/2014/09/24/1",
        "trust": 1.1
      },
      {
        "db": "SECUNIA",
        "id": "62170",
        "trust": 1.1
      },
      {
        "db": "JVN",
        "id": "JVNVU99970459",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-004624",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201410-165",
        "trust": 0.7
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2020.4254",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-74338",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "133617",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-74338"
      },
      {
        "db": "BID",
        "id": "70100"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-004624"
      },
      {
        "db": "PACKETSTORM",
        "id": "133617"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201410-165"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-6394"
      }
    ]
  },
  "id": "VAR-201410-0935",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-74338"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2024-11-23T20:17:30.153000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "APPLE-SA-2015-09-16-2 Xcode 7.0",
        "trust": 0.8,
        "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html"
      },
      {
        "title": "HT205217",
        "trust": 0.8,
        "url": "https://support.apple.com/en-us/HT205217"
      },
      {
        "title": "HT205217",
        "trust": 0.8,
        "url": "http://support.apple.com/ja-jp/HT205217"
      },
      {
        "title": "FEDORA-2014-11495",
        "trust": 0.8,
        "url": "https://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html"
      },
      {
        "title": "FEDORA-2014-11421",
        "trust": 0.8,
        "url": "https://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html"
      },
      {
        "title": "FEDORA-2014-11289",
        "trust": 0.8,
        "url": "https://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html"
      },
      {
        "title": "Fix a path traversal issue when using root",
        "trust": 0.8,
        "url": "https://github.com/pillarjs/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a"
      },
      {
        "title": "Insecure comparison #59",
        "trust": 0.8,
        "url": "https://github.com/pillarjs/send/pull/59"
      },
      {
        "title": "Top Page",
        "trust": 0.8,
        "url": "https://nodejs.org/en/"
      },
      {
        "title": "Bug 1146063",
        "trust": 0.8,
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146063"
      },
      {
        "title": "send-0.8.4",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=51809"
      },
      {
        "title": "send-0.8.4",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=51808"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-004624"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201410-165"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-22",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-74338"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-004624"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-6394"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.1,
        "url": "http://lists.apple.com/archives/security-announce/2015/sep/msg00002.html"
      },
      {
        "trust": 1.1,
        "url": "http://www.securityfocus.com/bid/70100"
      },
      {
        "trust": 1.1,
        "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21687263"
      },
      {
        "trust": 1.1,
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146063"
      },
      {
        "trust": 1.1,
        "url": "https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a"
      },
      {
        "trust": 1.1,
        "url": "https://support.apple.com/ht205217"
      },
      {
        "trust": 1.1,
        "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-september/139415.html"
      },
      {
        "trust": 1.1,
        "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-october/140020.html"
      },
      {
        "trust": 1.1,
        "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-october/139938.html"
      },
      {
        "trust": 1.1,
        "url": "https://github.com/visionmedia/send/pull/59"
      },
      {
        "trust": 1.1,
        "url": "https://nodesecurity.io/advisories/send-directory-traversal"
      },
      {
        "trust": 1.1,
        "url": "http://www.openwall.com/lists/oss-security/2014/09/24/1"
      },
      {
        "trust": 1.1,
        "url": "http://www.openwall.com/lists/oss-security/2014/09/30/10"
      },
      {
        "trust": 1.1,
        "url": "http://secunia.com/advisories/62170"
      },
      {
        "trust": 1.1,
        "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96727"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-6394"
      },
      {
        "trust": 0.8,
        "url": "http://jvn.jp/vu/jvnvu99970459/index.html"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-6394"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2020.4254/"
      },
      {
        "trust": 0.3,
        "url": "http://nodejs.org"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2015-0248"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2014-3567"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2015-5910"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2015-3185"
      },
      {
        "trust": 0.1,
        "url": "https://support.apple.com/kb/ht201222"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2014-3568"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2014-3513"
      },
      {
        "trust": 0.1,
        "url": "https://www.apple.com/support/security/pgp/"
      },
      {
        "trust": 0.1,
        "url": "https://developer.apple.com/xcode/downloads/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2014-6394"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2015-0251"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2015-5909"
      },
      {
        "trust": 0.1,
        "url": "http://gpgtools.org"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2014-3566"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-74338"
      },
      {
        "db": "BID",
        "id": "70100"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-004624"
      },
      {
        "db": "PACKETSTORM",
        "id": "133617"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201410-165"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-6394"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-74338"
      },
      {
        "db": "BID",
        "id": "70100"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-004624"
      },
      {
        "db": "PACKETSTORM",
        "id": "133617"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201410-165"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-6394"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2014-10-08T00:00:00",
        "db": "VULHUB",
        "id": "VHN-74338"
      },
      {
        "date": "2014-09-12T00:00:00",
        "db": "BID",
        "id": "70100"
      },
      {
        "date": "2014-10-10T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2014-004624"
      },
      {
        "date": "2015-09-19T15:31:48",
        "db": "PACKETSTORM",
        "id": "133617"
      },
      {
        "date": "2014-10-13T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201410-165"
      },
      {
        "date": "2014-10-08T17:55:05.123000",
        "db": "NVD",
        "id": "CVE-2014-6394"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2017-09-08T00:00:00",
        "db": "VULHUB",
        "id": "VHN-74338"
      },
      {
        "date": "2015-11-03T19:43:00",
        "db": "BID",
        "id": "70100"
      },
      {
        "date": "2015-10-05T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2014-004624"
      },
      {
        "date": "2020-12-02T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201410-165"
      },
      {
        "date": "2024-11-21T02:14:18.437000",
        "db": "NVD",
        "id": "CVE-2014-6394"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201410-165"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Node.js for  visionmedia send Vulnerable to restricted directory access",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-004624"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "path traversal",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201410-165"
      }
    ],
    "trust": 0.6
  }
}

CERTFR-2015-AVI-399

Vulnerability from certfr_avis

De multiples vulnérabilités ont été corrigées dans Apple Xcode. Certaines d'entre elles permettent à un attaquant de provoquer un déni de service à distance, un contournement de la politique de sécurité et une atteinte à l'intégrité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Apple Xcode version antérieure à 7.0

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

ghsa-xwg4-93c6-3h42

Vulnerability from github

Published

2017-10-24 18:33

Modified

2021-09-22 17:58

Summary

Directory Traversal in send

Details

Versions 0.8.3 and earlier of send are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory.

For example, static(_dirname + '/public') would allow access to _dirname + '/public-restricted'.

Recommendation

Update to version 0.8.4 or later.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "send"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2014-6394"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T22:04:41Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "Versions 0.8.3 and earlier of `send` are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory. \n\nFor example, `static(_dirname + \u0027/public\u0027)` would allow access to `_dirname + \u0027/public-restricted\u0027`.\n\n\n## Recommendation\n\nUpdate to version 0.8.4 or later.",
  "id": "GHSA-xwg4-93c6-3h42",
  "modified": "2021-09-22T17:58:56Z",
  "published": "2017-10-24T18:33:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-6394"
    },
    {
      "type": "WEB",
      "url": "https://github.com/visionmedia/send/pull/59"
    },
    {
      "type": "WEB",
      "url": "https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146063"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96727"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-xwg4-93c6-3h42"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/visionmedia/send"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT205217"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/32"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/62170"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21687263"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/09/24/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/09/30/10"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/70100"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Directory Traversal in send"
}

gsd-2014-6394

Vulnerability from gsd

Modified

2023-12-13 01:22

Details

Aliases

CVE-2014-6394

Aliases

CVE-2014-6394

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2014-6394",
    "description": "visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using \"public-restricted\" under a \"public\" directory.",
    "id": "GSD-2014-6394",
    "references": [
      "https://www.suse.com/security/cve/CVE-2014-6394.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2014-6394"
      ],
      "details": "visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using \"public-restricted\" under a \"public\" directory.",
      "id": "GSD-2014-6394",
      "modified": "2023-12-13T01:22:50.017311Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2014-6394",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using \"public-restricted\" under a \"public\" directory."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "62170",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/62170"
          },
          {
            "name": "[oss-security] 20140924 Re: CVE request: various NodeJS module vulnerabilities",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2014/09/30/10"
          },
          {
            "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1146063",
            "refsource": "CONFIRM",
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146063"
          },
          {
            "name": "https://nodesecurity.io/advisories/send-directory-traversal",
            "refsource": "MISC",
            "url": "https://nodesecurity.io/advisories/send-directory-traversal"
          },
          {
            "name": "https://github.com/visionmedia/send/pull/59",
            "refsource": "MISC",
            "url": "https://github.com/visionmedia/send/pull/59"
          },
          {
            "name": "https://support.apple.com/HT205217",
            "refsource": "CONFIRM",
            "url": "https://support.apple.com/HT205217"
          },
          {
            "name": "https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a",
            "refsource": "CONFIRM",
            "url": "https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a"
          },
          {
            "name": "APPLE-SA-2015-09-16-2",
            "refsource": "APPLE",
            "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html"
          },
          {
            "name": "FEDORA-2014-11495",
            "refsource": "FEDORA",
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html"
          },
          {
            "name": "FEDORA-2014-11421",
            "refsource": "FEDORA",
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html"
          },
          {
            "name": "70100",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/70100"
          },
          {
            "name": "nodejs-cve20146394-dir-traversal(96727)",
            "refsource": "XF",
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96727"
          },
          {
            "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21687263",
            "refsource": "CONFIRM",
            "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21687263"
          },
          {
            "name": "FEDORA-2014-11289",
            "refsource": "FEDORA",
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html"
          },
          {
            "name": "[oss-security] 20140924 CVE request: various NodeJS module vulnerabilities",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2014/09/24/1"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c0.8.4",
          "affected_versions": "All versions before 0.8.4",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cwe_ids": [
            "CWE-1035",
            "CWE-22",
            "CWE-937"
          ],
          "date": "2021-09-22",
          "description": "visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using \"public-restricted\" under a \"public\" directory.",
          "fixed_versions": [
            "0.8.4"
          ],
          "identifier": "CVE-2014-6394",
          "identifiers": [
            "GHSA-xwg4-93c6-3h42",
            "CVE-2014-6394"
          ],
          "not_impacted": "All versions starting from 0.8.4",
          "package_slug": "npm/send",
          "pubdate": "2017-10-24",
          "solution": "Upgrade to version 0.8.4 or above.",
          "title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2014-6394",
            "https://github.com/visionmedia/send/pull/59",
            "https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a",
            "https://github.com/advisories/GHSA-xwg4-93c6-3h42",
            "https://www.npmjs.com/advisories/32",
            "https://bugzilla.redhat.com/show_bug.cgi?id=1146063",
            "https://exchange.xforce.ibmcloud.com/vulnerabilities/96727",
            "https://nodesecurity.io/advisories/send-directory-traversal",
            "https://support.apple.com/HT205217",
            "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html",
            "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html",
            "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html",
            "http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html",
            "http://secunia.com/advisories/62170",
            "http://www-01.ibm.com/support/docview.wss?uid=swg21687263",
            "http://www.openwall.com/lists/oss-security/2014/09/24/1",
            "http://www.openwall.com/lists/oss-security/2014/09/30/10",
            "http://www.securityfocus.com/bid/70100"
          ],
          "uuid": "9fc8d964-d282-4e96-a81a-338d5400de85"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apple:xcode:7.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:joyent:node.js:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "0.8.3",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:joyent:node.js:0.8.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:joyent:node.js:0.8.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:joyent:node.js:0.8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2014-6394"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using \"public-restricted\" under a \"public\" directory."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-22"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/visionmedia/send/pull/59",
              "refsource": "MISC",
              "tags": [],
              "url": "https://github.com/visionmedia/send/pull/59"
            },
            {
              "name": "[oss-security] 20140924 CVE request: various NodeJS module vulnerabilities",
              "refsource": "MLIST",
              "tags": [],
              "url": "http://www.openwall.com/lists/oss-security/2014/09/24/1"
            },
            {
              "name": "70100",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/70100"
            },
            {
              "name": "FEDORA-2014-11289",
              "refsource": "FEDORA",
              "tags": [],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html"
            },
            {
              "name": "FEDORA-2014-11421",
              "refsource": "FEDORA",
              "tags": [],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html"
            },
            {
              "name": "https://nodesecurity.io/advisories/send-directory-traversal",
              "refsource": "MISC",
              "tags": [],
              "url": "https://nodesecurity.io/advisories/send-directory-traversal"
            },
            {
              "name": "https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit"
              ],
              "url": "https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1146063",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146063"
            },
            {
              "name": "FEDORA-2014-11495",
              "refsource": "FEDORA",
              "tags": [],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html"
            },
            {
              "name": "[oss-security] 20140924 Re: CVE request: various NodeJS module vulnerabilities",
              "refsource": "MLIST",
              "tags": [],
              "url": "http://www.openwall.com/lists/oss-security/2014/09/30/10"
            },
            {
              "name": "APPLE-SA-2015-09-16-2",
              "refsource": "APPLE",
              "tags": [],
              "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html"
            },
            {
              "name": "https://support.apple.com/HT205217",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "https://support.apple.com/HT205217"
            },
            {
              "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21687263",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21687263"
            },
            {
              "name": "62170",
              "refsource": "SECUNIA",
              "tags": [],
              "url": "http://secunia.com/advisories/62170"
            },
            {
              "name": "nodejs-cve20146394-dir-traversal(96727)",
              "refsource": "XF",
              "tags": [],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96727"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2017-09-08T01:29Z",
      "publishedDate": "2014-10-08T17:55Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2014-6394 (GCVE-0-2014-6394)

Vulnerability from cvelistv5

fkie_cve-2014-6394

Vulnerability from fkie_nvd

var-201410-0935

Vulnerability from variot

CERTFR-2015-AVI-399

Vulnerability from certfr_avis

Solution

ghsa-xwg4-93c6-3h42

Vulnerability from github

Recommendation

gsd-2014-6394

Vulnerability from gsd

Tags

Sightings

Nomenclature