CVE-2014-6394

Low

Low Medium High Critical

CVSS Score

Published: Oct 08, 2014

Last Modified: Apr 12, 2025

Vulnerability Description

visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory.

Known Affected Software

9 configuration(s) from 3 vendor(s)

xcode

Version:

7.0

CPE:

cpe:2.3:a:apple:xcode:7.0:*:*:*:*:*:*:*

fedora

Version:

CPE:

cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*

fedora

Version:

CPE:

cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*

fedora

Version:

CPE:

cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*

node.js

Version:

0.8.2

CPE:

cpe:2.3:a:joyent:node.js:0.8.2:*:*:*:*:*:*:*

node.js

Version:

0.6.1

CPE:

cpe:2.3:a:joyent:node.js:0.6.1:*:*:*:*:*:*:*

node.js

Version:

0.8.0

CPE:

cpe:2.3:a:joyent:node.js:0.8.0:*:*:*:*:*:*:*

node.js

Version:

0.8.1

CPE:

cpe:2.3:a:joyent:node.js:0.8.1:*:*:*:*:*:*:*

node.js

Version:

0.6.3

CPE:

cpe:2.3:a:joyent:node.js:0.6.3:*:*:*:*:*:*:*

This vulnerability affects 9 software configuration(s). Ensure you patch all affected systems.

References & Resources

Severity Details

out of 10.0

Low

Weakness Type (CWE)

CWE-22 Top 25 #6

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Description: The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can…
Exploit Likelihood: High
Typical Severity: High
OWASP Top 10: A01:2021-Broken Access Control
Abstraction Level: Base