CVE
GHSA-4r66-7rcv-x46x
SiYuan vulnerable to RCE via zip slip and Command Injection via PandocBin
Summary
Siyuan is vulnerable to RCE. The issue stems from a "Zip Slip" vulnerability during zip file extraction, combined with the ability to overwrite system executables and subsequently trigger their execution.
Steps to reproduce
- Authenticate
- Create zip slip payload with path traversal entry
../../../../opt/siyuan/startup.sh. startup.sh contains malicious code like:
#!/bin/sh
echo 'you have been pwned' > /siyuan/workspace/data/pwned.txt
echo "pandoc 3.1.0"- Upload zip to workspace via
/api/file/putFile - Extract zip via
/api/archive/unzip, overwrites the existing executablestartup.shwhile maintaining the +x permission - Trigger execution by calling
/api/setting/setExportwithpandocBin=/opt/siyuan/startup.sh. This callsIsValidPandocBin()which executesstartup.sh --versionthat outputs "pandoc 3.1.0" and executes any arbitrary malicious code
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
C
H
U
-
Related Resources
No items found.
References
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4r66-7rcv-x46x, https://github.com/siyuan-note/siyuan
Basic Information
Ecosystem
