Platform
go
Component
github.com/siyuan-note/siyuan/kernel
Fixed in
3.1.17
0.0.1
CVE-2024-55658 describes a Path Traversal vulnerability discovered in the SiYuan Kernel, the core component of the SiYuan note-taking application. This flaw allows attackers to read arbitrary files on the server by manipulating the /api/export/exportResources endpoint. The vulnerability impacts versions of SiYuan Kernel prior to 3.1.16. A fix has been released in version 3.1.16.
The primary impact of this vulnerability is unauthorized access to sensitive files stored on the server hosting SiYuan. An attacker could exploit this to read configuration files, database credentials, source code, or any other file accessible to the application's user account. Successful exploitation could lead to data breaches, compromise of system integrity, and potentially, further attacks if sensitive information is exposed. The ability to read arbitrary files significantly expands the attack surface beyond the intended functionality of the export feature. While no direct remote code execution is possible, the information gained could be used to identify and exploit other vulnerabilities.
This vulnerability was publicly disclosed on December 12, 2024. There is currently no indication of active exploitation in the wild, nor is it listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the ease of exploitation suggests that they are likely to emerge. The vulnerability's impact is amplified by the potential for widespread deployment of SiYuan, particularly among individual users and small teams.
Exploit Status
EPSS
0.65% (71% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-55658 is to immediately upgrade SiYuan Kernel to version 3.1.16 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to /api/export/exportResources that contain suspicious path traversal characters (e.g., ../). Additionally, restrict the permissions of the user account running the SiYuan application to minimize the potential damage from a successful exploit. Regularly review file system permissions and ensure that sensitive files are not accessible to the application user. After upgrading, confirm the fix by attempting to access a restricted file via the /api/export/exportResources endpoint; access should be denied.
Actualice SiYuan a la versión 3.1.16 o superior. Esta versión contiene una corrección para la vulnerabilidad de lectura arbitraria de archivos y path traversal. La actualización evitará que atacantes accedan a archivos sensibles en su sistema.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-55658 is a Path Traversal vulnerability in SiYuan Kernel allowing attackers to read arbitrary files via the /api/export/exportResources endpoint. It's rated HIGH severity.
Yes, if you are using SiYuan Kernel versions prior to 3.1.16, you are affected by this vulnerability and should upgrade immediately.
Upgrade SiYuan Kernel to version 3.1.16 or later. As a temporary workaround, implement a WAF rule to block suspicious path traversal requests.
There is currently no confirmed evidence of active exploitation, but the ease of exploitation suggests it's a potential risk.
Refer to the SiYuan GitHub repository and release notes for the latest security advisories and updates: https://github.com/siyuan-note/siyuan
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.