Root Path Disclosure

Module: send

Published: November 3rd, 2015

Reported by: Dinis Cruz

CVE-2015-8859

CWE-934

Vulnerable: <0.11.1
Patched: >=0.11.1

Overview

Versions of send prior to 0.11.2 are affected by an information leakage vulnerability which may allow an attacker to enumerate paths on the server filesystem.

Remediation

Update to version 0.11.1 or later.

References

PR #70 Express Changelog - 2015/01/20