Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yNXc5LXdxZnEtZ3dxeM4ABCSZ
SiYuan has an arbitrary file read and path traversal via /api/export/exportResources
Summary
Siyuan's /api/export/exportResources endpoint is vulnerable to arbitary file read via path traversal. It is possible to manipulate the paths parameter to access and download arbitrary files from the host system by traversing the workspace directory structure.
Impact
Arbitrary File Read
Permalink: https://github.com/advisories/GHSA-25w9-wqfq-gwqxJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yNXc5LXdxZnEtZ3dxeM4ABCSZ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 7 days ago
Updated: 6 days ago
EPSS Percentage: 0.00044
EPSS Percentile: 0.1207
Identifiers: GHSA-25w9-wqfq-gwqx, CVE-2024-55658
References:
- https://github.com/siyuan-note/siyuan/security/advisories/GHSA-25w9-wqfq-gwqx
- https://github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71
- https://nvd.nist.gov/vuln/detail/CVE-2024-55658
- https://pkg.go.dev/vuln/GO-2024-3323
- https://github.com/advisories/GHSA-25w9-wqfq-gwqx
Blast Radius: 1.0
Affected Packages
go:github.com/siyuan-note/siyuan/kernel
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: <= 0.0.0-20241210012039-5129ad926a21
No known fixed version
All affected versions: 0.0.0-20220905142016-d4334c773dad, 0.0.0-20221027152605-fe60b22d536d, 0.0.0-20230103113146-145243e0583b, 0.0.0-20230111025530-cdb6077c3f00, 0.0.0-20230117023040-d0f011b1a5b1, 0.0.0-20230321012606-1a6fddc44111, 0.0.0-20230321035213-f83a07fb0626, 0.0.0-20230404073044-cbddfb196259, 0.0.0-20230411020541-41873799c846, 0.0.0-20230411032044-a1e389df19df, 0.0.0-20230418060053-0929e98dee27, 0.0.0-20230425032235-9e9b43392e30, 0.0.0-20230509095923-c7b43df2d829, 0.0.0-20230704012107-073e73838942, 0.0.0-20230725120217-1c2422cf6d73, 0.0.0-20230801023826-ae576633c12e, 0.0.0-20230808040815-95c095573538, 0.0.0-20230815124756-a516f8da2cf1, 0.0.0-20230821131106-e08133ea88ff, 0.0.0-20230829032438-2349b080db59, 0.0.0-20230905014358-830c8b55cf1f, 0.0.0-20230908022656-147d08377047, 0.0.0-20230912012204-38bb73810b5a, 0.0.0-20230919025405-cd94ce9fb132, 0.0.0-20231003053625-642d04151389, 0.0.0-20231004050336-811bac942ddb, 0.0.0-20231011065714-eb93255cf327, 0.0.0-20231115012049-99b3c7e1920a, 0.0.0-20231205010704-20881abfe2f8, 0.0.0-20231214085135-4d5f5380088e, 0.0.0-20231214121959-554b1f77694c, 0.0.0-20231219004102-fd0e44fbf0ef, 0.0.0-20231226025913-171b91513423, 0.0.0-20240102022946-cb6a843cd957, 0.0.0-20240109001922-343c7679e74b, 0.0.0-20240110090555-2b6dc096a8e7, 0.0.0-20240116030803-f6651fbc0ffd