CVE-2024-55660 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2024-55660

CVE-2024-55660

December 11, 2024

SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's "/api/template/renderSprig" endpoint is vulnerable to Server-Side Template Injection (SSTI) through the Sprig template engine. Although the engine has limitations, it allows attackers to access environment variables. Version 3.1.16 contains a patch for the issue.

Related Resources (5)

https://github.com/siyuan-note/siyuan

https://nvd.nist.gov/vuln/detail/CVE-2024-55660

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4pjc-pwgq-q9jp

https://github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71

https://pkg.go.dev/vuln/GO-2024-3324

Do you need more information?

CVSS v4

Base Score:

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

NONE

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Weakness Type (CWE)

Improper Control of Generation of Code ('Code Injection')

CWE-94

Improper Neutralization of Special Elements Used in a Template Engine

CWE-1336

EPSS

Base Score:

0.54

Products

Solutions

Resources

Company

Compare

Developer Tools