Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/siyuan-note/siyuan/kernel: GHSA-8fx8-pffw-w498 #3362

Closed
GoVulnBot opened this issue Jan 3, 2025 · 1 comment
Labels

Comments

@GoVulnBot
Copy link

Advisory GHSA-8fx8-pffw-w498 references a vulnerability in the following Go modules:

Module
github.com/siyuan-note/siyuan/kernel

Description:

Summary

A arbitrary file deletion vulnerability has been identified in the latest version of Siyuan Note. The vulnerability exists in the POST /api/history/getDocHistoryContent endpoint.An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server.

Details

The vulnerability can be reproduced by sending a crafted request to the /api/history/getDocHistoryContent endpoint.

Sending a request to the /api/history/getDocHistoryContent like:

curl "http://127.0.0.1:6806/api/history/getDocHistoryContent" -X POST -H "Co...

References:
- ADVISORY: https://github.com/advisories/GHSA-8fx8-pffw-w498
- ADVISORY: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-8fx8-pffw-w498
- FIX: https://github.com/siyuan-note/siyuan/commit/d9887aeec1b27073bec66299a9a4181dc42969f3

Cross references:
- github.com/siyuan-note/siyuan/kernel appears in 4 other report(s):
  - data/reports/GO-2024-3323.yaml    (https://github.com/golang/vulndb/issues/3323)
  - data/reports/GO-2024-3324.yaml    (https://github.com/golang/vulndb/issues/3324)
  - data/reports/GO-2024-3326.yaml    (https://github.com/golang/vulndb/issues/3326)
  - data/reports/GO-2024-3327.yaml    (https://github.com/golang/vulndb/issues/3327)

See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
- module: github.com/siyuan-note/siyuan/kernel
non_go_versions:
- introduced: TODO (earliest fixed "", vuln range "< 0.0.0-20250103014808-d9887aeec1b2")
vulnerable_at: 0.0.0-20241231012955-adc819973b71
summary: SiYuan has an arbitrary file deletion vulnerability in github.com/siyuan-note/siyuan/kernel
cves:
- CVE-2025-21609
ghsas:
- GHSA-8fx8-pffw-w498
references:
- advisory: GHSA-8fx8-pffw-w498
- advisory: GHSA-8fx8-pffw-w498
- fix: siyuan-note/siyuan@d9887ae
source:
id: GHSA-8fx8-pffw-w498
created: 2025-01-03T17:01:18.762942657Z
review_status: UNREVIEWED

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/640916 mentions this issue: data/reports: add 10 unreviewed reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants