Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mcWo2LXdoaHgtNDdwN84ABCSa
SiYuan has an arbitrary file write in the host via /api/asset/upload
Summary
The /api/asset/upload endpoint in Siyuan is vulnerable to both arbitrary file write to the host and stored XSS (via the file write).
Impact
Arbitrary file write
Permalink: https://github.com/advisories/GHSA-fqj6-whhx-47p7JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mcWo2LXdoaHgtNDdwN84ABCSa
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 7 days ago
Updated: 6 days ago
EPSS Percentage: 0.00044
EPSS Percentile: 0.1207
Identifiers: GHSA-fqj6-whhx-47p7, CVE-2024-55659
References:
- https://github.com/siyuan-note/siyuan/security/advisories/GHSA-fqj6-whhx-47p7
- https://github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71
- https://nvd.nist.gov/vuln/detail/CVE-2024-55659
- https://pkg.go.dev/vuln/GO-2024-3326
- https://github.com/advisories/GHSA-fqj6-whhx-47p7
Blast Radius: 1.0
Affected Packages
go:github.com/siyuan-note/siyuan/kernel
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: <= 0.0.0-20241210012039-5129ad926a21
No known fixed version
All affected versions: 0.0.0-20220905142016-d4334c773dad, 0.0.0-20221027152605-fe60b22d536d, 0.0.0-20230103113146-145243e0583b, 0.0.0-20230111025530-cdb6077c3f00, 0.0.0-20230117023040-d0f011b1a5b1, 0.0.0-20230321012606-1a6fddc44111, 0.0.0-20230321035213-f83a07fb0626, 0.0.0-20230404073044-cbddfb196259, 0.0.0-20230411020541-41873799c846, 0.0.0-20230411032044-a1e389df19df, 0.0.0-20230418060053-0929e98dee27, 0.0.0-20230425032235-9e9b43392e30, 0.0.0-20230509095923-c7b43df2d829, 0.0.0-20230704012107-073e73838942, 0.0.0-20230725120217-1c2422cf6d73, 0.0.0-20230801023826-ae576633c12e, 0.0.0-20230808040815-95c095573538, 0.0.0-20230815124756-a516f8da2cf1, 0.0.0-20230821131106-e08133ea88ff, 0.0.0-20230829032438-2349b080db59, 0.0.0-20230905014358-830c8b55cf1f, 0.0.0-20230908022656-147d08377047, 0.0.0-20230912012204-38bb73810b5a, 0.0.0-20230919025405-cd94ce9fb132, 0.0.0-20231003053625-642d04151389, 0.0.0-20231004050336-811bac942ddb, 0.0.0-20231011065714-eb93255cf327, 0.0.0-20231115012049-99b3c7e1920a, 0.0.0-20231205010704-20881abfe2f8, 0.0.0-20231214085135-4d5f5380088e, 0.0.0-20231214121959-554b1f77694c, 0.0.0-20231219004102-fd0e44fbf0ef, 0.0.0-20231226025913-171b91513423, 0.0.0-20240102022946-cb6a843cd957, 0.0.0-20240109001922-343c7679e74b, 0.0.0-20240110090555-2b6dc096a8e7, 0.0.0-20240116030803-f6651fbc0ffd