GHSA-xx68-37v4-4596

Опубликовано: 11 дек. 2024

Источник: github

Github: Прошло ревью

CVSS4: 8.7

CVSS3: 7.5

Описание

SiYuan has an arbitrary file read via /api/template/render

Summary

An arbitrary file read vulnerability exists in Siyuan's /api/template/render endpoint. The absence of proper validation on the path parameter allows attackers to access sensitive files on the host system.

Impact

Arbitrary file read on the host

Ссылки

Пакеты

Наименование

github.com/siyuan-note/siyuan/kernel

Затронутые версииВерсия исправления

<= 0.0.0-20241210012039-5129ad926a21

Отсутствует

EPSS

Процентиль: 42%

0.00192

Низкий

8.7 High

CVSS4

7.5 High

CVSS3

CVE ID

CVE-2024-55657

Дефекты

CWE-22

Связанные уязвимости

CVE-2024-55657

CVSS3: 7.5

nvd

8 месяцев назад

SiYuan is a personal knowledge management system. Prior to version 3.1.16, an arbitrary file read vulnerability exists in Siyuan's `/api/template/render` endpoint. The absence of proper validation on the path parameter allows attackers to access sensitive files on the host system. Version 3.1.16 contains a patch for the issue.

EPSS

Процентиль: 42%

0.00192

Низкий

8.7 High

CVSS4

7.5 High

CVSS3

CVE ID

CVE-2024-55657

Дефекты

CWE-22