{"id":"CVE-2014-6394","details":"visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using \"public-restricted\" under a \"public\" directory.","aliases":["GHSA-xwg4-93c6-3h42"],"modified":"2026-04-10T03:43:59.739949Z","published":"2014-10-08T17:55:05Z","references":[{"type":"ADVISORY","url":"http://secunia.com/advisories/62170"},{"type":"ADVISORY","url":"https://nodesecurity.io/advisories/send-directory-traversal"},{"type":"EVIDENCE","url":"https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a"},{"type":"FIX","url":"https://github.com/visionmedia/send/pull/59"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1146063"},{"type":"WEB","url":"http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html"},{"type":"WEB","url":"http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html"},{"type":"WEB","url":"http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html"},{"type":"WEB","url":"http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html"},{"type":"WEB","url":"http://www-01.ibm.com/support/docview.wss?uid=swg21687263"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2014/09/24/1"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2014/09/30/10"},{"type":"WEB","url":"http://www.securityfocus.com/bid/70100"},{"type":"WEB","url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/96727"},{"type":"WEB","url":"https://support.apple.com/HT205217"}],"schema_version":"1.7.5"}