VDB
CVE-2024-55658
CVE-2024-55658
PUBLISHED
CVSS 8.699999809265137 HIGH
SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's /api/export/exportResources endpoint is vulnerable to arbitary file read via path traversal. It is possible to manipulate the paths parameter to access and download arbitrary files from the host system by traversing the workspace directory structure. Version 3.1.16 contains a patch for the issue.
EPSS 0.88% · 75.7th percentile
Risk Scores
CVSS 4.0
8.699999809265137
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
EPSS Score
0.88%
75.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| b3log | siyuan | 3.1.15, 3.1.15 |
| siyuan-note | siyuan | < 3.1.16, < 3.1.16 |
| github.com | siyuan-note/siyuan/kernel | 0, 0 |
Exploit Intelligence
Timeline
- Jan 21, 1970 Security Advisory
- Dec 11, 2024 CVE Published
- Dec 11, 2024 PoC Published
- Dec 12, 2024 EPSS Score
- Dec 12, 2024 PoC Published
- Dec 29, 2024 EPSS Score
- Jan 14, 2025 EPSS Score
- Jan 31, 2025 EPSS Score
- Feb 17, 2025 EPSS Score
- Mar 5, 2025 EPSS Score
- Mar 22, 2025 EPSS Score
- Apr 8, 2025 EPSS Score
References
- https://github.com/siyuan-note/siyuan/security/advisories/GHSA-25w9-wqfq-gwqx url
- https://github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71 url
- https://nvd.nist.gov/vuln/detail/CVE-2024-55658 advisory
- https://github.com/siyuan-note/siyuan package
- https://pkg.go.dev/vuln/GO-2024-3323 url