CVE-2024-55658 HIGH

CVE-2024-55658: SiYuan has an arbitrary file read and path traversal via /api/export/exportResources

Vendor Siyuan-Note
Product siyuan
Weakness CWE-22 · Path traversal
Published December 11, 2024
Last update December 12, 2024

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's /api/export/exportResources endpoint is vulnerable to arbitary file read via path traversal. It is possible to manipulate the paths parameter to access and download arbitrary files from the host system by traversing the workspace directory structure. Version 3.1.16 contains a patch for the issue.

Key dates

02Disclosure timeline

December 11, 2024 CVE published
December 12, 2024 Record updated