GHSA-4pjc-pwgq-q9jp

Опубликовано: 11 дек. 2024

Источник: github

Github: Прошло ревью

CVSS4: 6.9

Описание

SiYuan has an SSTI via /api/template/renderSprig

Summary

Siyuan's /api/template/renderSprig endpoint is vulnerable to Server-Side Template Injection (SSTI) through the Sprig template engine. Although the engine has limitations, it allows attackers to access environment variables

Impact

Information leakage

Ссылки

Пакеты

Наименование

github.com/siyuan-note/siyuan/kernel

Затронутые версииВерсия исправления

<= 0.0.0-20241210012039-5129ad926a21

Отсутствует

EPSS

Процентиль: 67%

0.00539

Низкий

6.9 Medium

CVSS4

CVE ID

CVE-2024-55660

Дефекты

CWE-1336

Связанные уязвимости

CVE-2024-55660

CVSS3: 9.8

nvd

около 1 года назад

SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's `/api/template/renderSprig` endpoint is vulnerable to Server-Side Template Injection (SSTI) through the Sprig template engine. Although the engine has limitations, it allows attackers to access environment variables. Version 3.1.16 contains a patch for the issue.

EPSS

Процентиль: 67%

0.00539

Низкий

6.9 Medium

CVSS4

CVE ID

CVE-2024-55660

Дефекты

CWE-1336