Описание
SiYuan vulnerable to RCE via zip slip and Command Injection via PandocBin
Summary
Siyuan is vulnerable to RCE. The issue stems from a "Zip Slip" vulnerability during zip file extraction, combined with the ability to overwrite system executables and subsequently trigger their execution.
Steps to reproduce
- Authenticate
- Create zip slip payload with path traversal entry
../../../../opt/siyuan/startup.sh. startup.sh contains malicious code like:
#!/bin/sh
echo 'you have been pwned' > /siyuan/workspace/data/pwned.txt
echo "pandoc 3.1.0"
- Upload zip to workspace via
/api/file/putFile - Extract zip via
/api/archive/unzip, overwrites the existing executablestartup.shwhile maintaining the +x permission - Trigger execution by calling
/api/setting/setExportwithpandocBin=/opt/siyuan/startup.sh. This callsIsValidPandocBin()which executesstartup.sh --versionthat outputs "pandoc 3.1.0" and executes any arbitrary malicious code
Пакеты
Наименование
github.com/siyuan-note/siyuan/kernel
go
Затронутые версииВерсия исправления
<= 0.0.0-20251202123337-6ef83b42c7ce
Отсутствует
8.6 High
CVSS4
Дефекты
CWE-22
8.6 High
CVSS4
Дефекты
CWE-22