SiYuan has an arbitrary file read via /api/template/render
CVE-2024-55657

7.5HIGH

Key Information:

Vendor: Siyuan-note
Status: Siyuan
Vendor: CVE Published:; 12 December 2024

🔔 Create Siyuan-note Vulnerability Alert

What is CVE-2024-55657?

The SiYuan Personal Knowledge Management System has an arbitrary file read vulnerability in its /api/template/render endpoint. Due to inadequate validation of the path parameter, unauthorized users can exploit this flaw to read sensitive files located on the host system. This security issue affects all versions prior to 3.1.16. Users are advised to upgrade to the latest version after the patch has been released to mitigate the risk of unauthorized access to their systems.

Affected Version(s)

siyuan < 3.1.16

References

https://github.com/siyuan-note/siyuan/security/advisories...

x_refsource_CONFIRM

https://github.com/siyuan-note/siyuan/commit/e70ed57f6e48...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 12, 2024

CVE-2024-55657 Data

JSON