CVE-2024-55660

Summary

SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's /api/template/renderSprig endpoint is vulnerable to Server-Side Template Injection (SSTI) through the Sprig template engine. Although the engine has limitations, it allows attackers to access environment variables. Version 3.1.16 contains a patch for the issue.

Affected Software

VendorProductVersion RangeStatus
siyuan-notesiyuan< 3.1.16affected

Weaknesses

  • CWE-1336: CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References