CVE: CVE-2014-6394

Export to Word

visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory.

Threat-Mapped Scoring

Score: 0.0

Priority: Unclassified

EPSS

Score: 0.04842
Percentile: 0.89076

CVSS Scoring

CVSS v2 Score: 7.5

Severity:

Mapped CWE(s)

CWE-22 : Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

All CAPEC(s)

CAPEC-126: Path Traversal
CAPEC-64: Using Slashes and URL Encoding Combined to Bypass Validation Logic
CAPEC-76: Manipulating Web Input to File System Calls
CAPEC-78: Using Escaped Slashes in Alternate Encoding
CAPEC-79: Using Slashes in Alternate Encoding

CAPEC(s) with Mapped TTPs

Mapped ATT&CK TTPs

Affected Products

cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*
cpe:2.3:a:apple:xcode:7.0:*:*:*:*:*:*:*
cpe:2.3:a:joyent:node.js:*:*:*:*:*:*:*:*
cpe:2.3:a:joyent:node.js:0.8.0:*:*:*:*:*:*:*
cpe:2.3:a:joyent:node.js:0.8.1:*:*:*:*:*:*:*
cpe:2.3:a:joyent:node.js:0.8.2:*:*:*:*:*:*:*

← Back to Home