x/vulndb: potential Go vuln in github.com/siyuan-note/siyuan/kernel: GHSA-25w9-wqfq-gwqx

[GoVulnBot]

Advisory GHSA-25w9-wqfq-gwqx references a vulnerability in the following Go modules:

Module
github.com/siyuan-note/siyuan/kernel

Description:

Summary

Siyuan's /api/export/exportResources endpoint is vulnerable to arbitary file read via path traversal. It is possible to manipulate the paths parameter to access and download arbitrary files from the host system by traversing the workspace directory structure.

Impact

Arbitrary File Read

References:

• ADVISORY: GHSA-25w9-wqfq-gwqx
• ADVISORY: GHSA-25w9-wqfq-gwqx
• FIX: siyuan-note/siyuan@e70ed57

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/siyuan-note/siyuan/kernel
      vulnerable_at: 0.0.0-20241210012039-5129ad926a21
summary: |-
    SiYuan has an arbitrary file read and path traversal via
    /api/export/exportResources in github.com/siyuan-note/siyuan/kernel
cves:
    - CVE-2024-55658
ghsas:
    - GHSA-25w9-wqfq-gwqx
references:
    - advisory: https://github.com/advisories/GHSA-25w9-wqfq-gwqx
    - advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-25w9-wqfq-gwqx
    - fix: https://github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71
source:
    id: GHSA-25w9-wqfq-gwqx
    created: 2024-12-11T19:01:27.452662581Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/635223 mentions this issue: data/reports: add 5 unreviewed reports