7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-13915

GHSA ID

GHSA-6452-jr93-r5qm

EPSS Score

0.55665%

CWE

CWE-59

Published

5/24/2022

Updated

8/25/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-13915

CVE-2019-13915: b3log Wide unauthenticated file access

b3log Wide before 1.6.0 allows three types of attacks to access arbitrary files. First, the attacker can write code in the editor, and compile and run it approximately three times to read an arbitrary file. Second, the attacker can create a symlink, and then place the symlink into a ZIP archive. An unzip operation leads to read access, and write access (depending on file permissions), to the symlink target. Third, the attacker can import a Git repository that contains a symlink, similarly leading to read and write access.

(GitHub Advisory)

7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-13915

GHSA ID

GHSA-6452-jr93-r5qm

EPSS Score

0.55665%

CWE

CWE-59

Published

5/24/2022

Updated

8/25/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/b3log/wide	go	< 1.6.0	1.6.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability describes three attack vectors: ZIP symlink extraction, Git repository symlink imports, and code execution abuse.

ZIP handling: The file.handleZipUpload function likely uses Go's archive/zip without sanitizing filenames or checking for symlinks, enabling path traversal.
Git imports: git.ImportRepository would clone repositories without validating symlinks, mirroring the ZIP issue.
Code execution: playground.CompileAndRun likely uses os/exec to run user code without proper sandboxing, allowing file reads via Go code injection. These functions align with the described CWE-59 and CWE-74 patterns and standard Go file-handling pitfalls.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**lo* Wi** ***or* *.*.* *llows t*r** typ*s o* *tt**ks to ****ss *r*itr*ry *il*s. *irst, t** *tt**k*r **n writ* *o** in t** **itor, *n* *ompil* *n* run it *pproxim*t*ly t*r** tim*s to r*** *n *r*itr*ry *il*. S**on*, t** *tt**k*r **n *r**t* * symlink,

Reasoning

T** vuln*r**ility **s*ri**s t*r** *tt**k v**tors: ZIP symlink *xtr**tion, *it r*pository symlink imports, *n* *o** *x**ution **us*. *. ZIP **n*lin*: T** `*il*.**n*l*ZipUplo**` *un*tion lik*ly us*s *o's `*r**iv*/zip` wit*out s*nitizin* *il*n*m*s or *

7.5

Basic Information

Concerned about an active attack path?

CVE-2019-13915: b3log Wide unauthenticated file access

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI