CVE-2014-6394: Directory Traversal in Send Node.js Module
プラットフォーム
nodejs
コンポーネント
send
修正版
0.8.4
CVE-2014-6394 describes a directory traversal vulnerability present in versions 0.8.3 and earlier of the send Node.js module. This flaw allows attackers to bypass intended file access restrictions, potentially exposing sensitive data. The vulnerability stems from an improper handling of the root option, enabling access to files outside the designated directory. Updating to version 0.8.4 or later resolves this issue.
影響と攻撃シナリオ翻訳中…
Successful exploitation of CVE-2014-6394 allows an attacker to read arbitrary files on the server, provided they can influence the application's request. This could include configuration files, source code, or other sensitive data. The impact is amplified if the application is running with elevated privileges, as the attacker could potentially gain access to system resources. While the CVSS score is LOW, the potential for data exposure and the ease of exploitation make this a significant concern, particularly in applications that rely heavily on the send module for serving static assets. The ability to bypass the intended root directory restriction is a critical security failure.
悪用の状況翻訳中…
CVE-2014-6394 was published in 2017. There is no indication of active exploitation campaigns targeting this vulnerability. The EPSS score is likely low due to the age of the vulnerability and the lack of public exploits. No known KEV listing. Public proof-of-concept exploits are not widely available, but the vulnerability is conceptually straightforward to exploit.
脅威インテリジェンス
エクスプロイト状況
EPSS
4.84% (89% パーセンタイル)
タイムライン
- 公開日
- 更新日
- EPSS 更新日
緩和策と回避策翻訳中…
The primary mitigation for CVE-2014-6394 is to upgrade the send module to version 0.8.4 or later. This version includes a fix that properly restricts file access based on the root option. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests that attempt to traverse directories. Specifically, look for patterns in the request path that attempt to escape the intended root directory. Thoroughly test any configuration changes or WAF rules to ensure they do not disrupt legitimate application functionality. After upgrading, confirm the fix by attempting a directory traversal request and verifying that access is denied.
修正方法翻訳中…
公式パッチはありません。回避策を確認するか、アップデートを監視してください。
よくある質問翻訳中…
What is CVE-2014-6394 — Directory Traversal in Send Node.js Module?
CVE-2014-6394 is a directory traversal vulnerability affecting versions 0.8.3 and earlier of the Send Node.js module, allowing attackers to bypass intended file access restrictions.
Am I affected by CVE-2014-6394 in Send Node.js Module?
You are affected if your application uses Send version 0.8.3 or earlier. Check your package.json or use npm list send to determine your version.
How do I fix CVE-2014-6394 in Send Node.js Module?
Upgrade the Send module to version 0.8.4 or later using npm install send@latest or by updating your package.json and running npm install.
Is CVE-2014-6394 being actively exploited?
There is no evidence of active exploitation campaigns targeting CVE-2014-6394, but the vulnerability remains a potential risk.
Where can I find the official Send advisory for CVE-2014-6394?
While a dedicated advisory may not exist, refer to the NVD entry for CVE-2014-6394 for more information: https://nvd.nist.gov/vuln/detail/CVE-2014-6394
今すぐ試す — アカウント不要
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
依存関係ファイルをドラッグ&ドロップ
composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...