CVE-2014-6394: Directory Traversal in Send Node.js Module
प्लेटफ़ॉर्म
nodejs
घटक
send
में ठीक किया गया
0.8.4
CVE-2014-6394 describes a directory traversal vulnerability present in versions 0.8.3 and earlier of the send Node.js module. This flaw allows attackers to bypass intended file access restrictions, potentially exposing sensitive data. The vulnerability stems from an improper handling of the root option, enabling access to files outside the designated directory. Updating to version 0.8.4 or later resolves this issue.
प्रभाव और हमले की स्थितियाँअनुवाद हो रहा है…
Successful exploitation of CVE-2014-6394 allows an attacker to read arbitrary files on the server, provided they can influence the application's request. This could include configuration files, source code, or other sensitive data. The impact is amplified if the application is running with elevated privileges, as the attacker could potentially gain access to system resources. While the CVSS score is LOW, the potential for data exposure and the ease of exploitation make this a significant concern, particularly in applications that rely heavily on the send module for serving static assets. The ability to bypass the intended root directory restriction is a critical security failure.
शोषण संदर्भअनुवाद हो रहा है…
CVE-2014-6394 was published in 2017. There is no indication of active exploitation campaigns targeting this vulnerability. The EPSS score is likely low due to the age of the vulnerability and the lack of public exploits. No known KEV listing. Public proof-of-concept exploits are not widely available, but the vulnerability is conceptually straightforward to exploit.
खतरा खुफिया
एक्सप्लॉइट स्थिति
EPSS
4.84% (89% शतमक)
समयरेखा
- प्रकाशित
- संशोधित
- EPSS अद्यतन
शमन और वर्कअराउंडअनुवाद हो रहा है…
The primary mitigation for CVE-2014-6394 is to upgrade the send module to version 0.8.4 or later. This version includes a fix that properly restricts file access based on the root option. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests that attempt to traverse directories. Specifically, look for patterns in the request path that attempt to escape the intended root directory. Thoroughly test any configuration changes or WAF rules to ensure they do not disrupt legitimate application functionality. After upgrading, confirm the fix by attempting a directory traversal request and verifying that access is denied.
कैसे ठीक करेंअनुवाद हो रहा है…
कोई आधिकारिक पैच उपलब्ध नहीं है। वैकल्पिक समाधान खोजें या अपडेट की निगरानी करें।
अक्सर पूछे जाने वाले सवालअनुवाद हो रहा है…
What is CVE-2014-6394 — Directory Traversal in Send Node.js Module?
CVE-2014-6394 is a directory traversal vulnerability affecting versions 0.8.3 and earlier of the Send Node.js module, allowing attackers to bypass intended file access restrictions.
Am I affected by CVE-2014-6394 in Send Node.js Module?
You are affected if your application uses Send version 0.8.3 or earlier. Check your package.json or use npm list send to determine your version.
How do I fix CVE-2014-6394 in Send Node.js Module?
Upgrade the Send module to version 0.8.4 or later using npm install send@latest or by updating your package.json and running npm install.
Is CVE-2014-6394 being actively exploited?
There is no evidence of active exploitation campaigns targeting CVE-2014-6394, but the vulnerability remains a potential risk.
Where can I find the official Send advisory for CVE-2014-6394?
While a dedicated advisory may not exist, refer to the NVD entry for CVE-2014-6394 for more information: https://nvd.nist.gov/vuln/detail/CVE-2014-6394
क्या आपका प्रोजेक्ट प्रभावित है?
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अभी आज़माएँ — no खाता
scanZone.subtitle
अपनी डिपेंडेंसी फ़ाइल ड्रैग और ड्रॉप करें
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...