Skip to content

SSTI via /api/template/renderSprig

Moderate
88250 published GHSA-4pjc-pwgq-q9jp Dec 11, 2024

Package

gomod https://github.com/siyuan-note/siyuan/ (Go)

Affected versions

v3.1.15

Patched versions

v3.1.16

Description

Summary

Siyuan's /api/template/renderSprig endpoint is vulnerable to Server-Side Template Injection (SSTI) through the Sprig template engine. Although the engine has limitations, it allows attackers to access environment variables

Impact

Information leakage

Severity

Moderate

CVE ID

CVE-2024-55660

Weaknesses

No CWEs

Credits