CVE-2014-6394: Path Traversal
First published: Wed Sep 24 2014(Updated: )
visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/nodejs-send | <0.8.4 | 0.8.4 |
| Red Hat Fedora | =19 | |
| Red Hat Fedora | =20 | |
| Red Hat Fedora | =21 | |
| Apple Xcode | =7.0 | |
| Node.js YAML | <=0.8.3 | |
| Node.js YAML | =0.8.0 | |
| Node.js YAML | =0.8.1 | |
| Node.js YAML | =0.8.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html
- http://secunia.com/advisories/62170
- http://www-01.ibm.com/support/docview.wss?uid=swg21687263
- http://www.openwall.com/lists/oss-security/2014/09/24/1
- http://www.openwall.com/lists/oss-security/2014/09/30/10
- http://www.securityfocus.com/bid/70100
- https://bugzilla.redhat.com/show_bug.cgi?id=1146063
- https://exchange.xforce.ibmcloud.com/vulnerabilities/96727
- https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a
- https://github.com/visionmedia/send/pull/59
- https://nodesecurity.io/advisories/send-directory-traversal
- https://support.apple.com/HT205217
- http://seclists.org/oss-sec/2014/q3/640
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1146064
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1146065
Frequently Asked Questions
What is the severity of CVE-2014-6394?
CVE-2014-6394 is classified as a moderate severity vulnerability due to its potential to allow unauthorized access to restricted directories.
How do I fix CVE-2014-6394?
To fix CVE-2014-6394, upgrade to version 0.8.4 or newer of the affected software, specifically nodejs-send.
What software is affected by CVE-2014-6394?
CVE-2014-6394 affects visionmedia send versions prior to 0.8.4 for Node.js.
Can CVE-2014-6394 allow remote access to files?
Yes, CVE-2014-6394 can allow remote attackers to access restricted directories, posing a security risk.
What types of systems are impacted by CVE-2014-6394?
CVE-2014-6394 impacts several systems including Fedora versions 19 to 21 and older versions of Node.js.
- agent/type
- agent/first-publish-date
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-6394
- agent/software-canonical-lookup
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/fedoraproject
- canonical/red hat fedora
- version/red hat fedora/19
- version/red hat fedora/20
- version/red hat fedora/21
- vendor/apple
- canonical/apple xcode
- version/apple xcode/7.0
- vendor/joyent
- canonical/node.js yaml
- version/node.js yaml/0.8.3
- version/node.js yaml/0.8.0
- version/node.js yaml/0.8.1
- version/node.js yaml/0.8.2