x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-6fcf-g3mp-xj2x #3047

GoVulnBot · 2024-08-05T22:03:58Z

Advisory GHSA-6fcf-g3mp-xj2x references a vulnerability in the following Go modules:

Module
github.com/usememos/memos

Description:
memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/httpmeta that allows unauthenticated users to enumerate the internal network and receive limited html values in json form. This vulnerability is fixed in 0.16.1.

References:

ADVISORY: GHSA-6fcf-g3mp-xj2x
ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-29028
FIX: usememos/memos@6ffc09d
WEB: https://securitylab.github.com/advisories/GHSL-2023-154_GHSL-2023-156_memos

Cross references:

github.com/usememos/memos appears in 59 other report(s):
- data/excluded/GO-2022-1173.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-rgj5-jj5q-v3v7 #1173) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1189.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-c8jh-vcjh-fx2w #1189) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1190.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-vwg4-846x-f94v #1190) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1191.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-w57v-6xp4-rm2v #1191) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1192.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qcw2-492v-57xj #1192) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1205.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-9v48-2h5x-fvpm #1205) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1215.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-68gw-r2x5-7r5r #1215) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1216.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-f552-97qx-c694 #1216) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1217.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-fv6c-rfg3-gvjw #1217) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1218.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qr52-59r6-49f4 #1218) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1219.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-33m8-f4hw-wm3q #1219) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1220.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-j593-h5v3-45x6 #1220) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1225.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-97rc-mm5j-f6rj #1225) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1226.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-c2v4-8r9g-g5xj #1226) NOT_GO_CODE
- data/excluded/GO-2022-1228.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-v92p-phmp-xffr #1228) NOT_GO_CODE
- data/excluded/GO-2022-1235.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-f83p-pg86-p922 #1235) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1236.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-ghx2-6v4g-9wmm #1236) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1239.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-jvq8-w7qv-hqp6 #1239) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1240.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-mfvq-m3jj-8864 #1240) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1243.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qcf5-m2c6-89f2 #1243) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1244.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qrrf-xvcf-p64q #1244) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1245.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qw36-rw5q-gxcq #1245) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1248.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-rx2m-xr4x-54hh #1248) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1250.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-642q-2q68-9j3p #1250) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1251.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-6fx9-29x2-fmfj #1251) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1252.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-6w5w-wx8w-2cq9 #1252) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1253.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-7qpw-2j9m-rw8c #1253) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1254.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-c5hq-35h7-r9x4 #1254) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1255.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-cwrm-33qq-4w2x #1255) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1256.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-gfj4-wg89-m22r #1256) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1257.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-gw9m-2m5v-c6x5 #1257) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1258.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-gxqf-4g4p-q3hc #1258) NOT_GO_CODE
- data/excluded/GO-2022-1259.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-hc5q-26h8-r9wf #1259) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1260.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-m5pr-wm6q-x4g2 #1260) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1261.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-pp3p-6jjh-rmg7 #1261) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1262.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-pwhr-p68w-296x #1262) NOT_GO_CODE
- data/excluded/GO-2022-1263.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qf9q-3wwx-8qjv #1263) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1264.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-r7hg-2cpp-8wqq #1264) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1265.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-rmhx-9h5h-3xh3 #1265) NOT_GO_CODE
- data/excluded/GO-2022-1266.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-vh43-cc6x-prpr #1266) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1270.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-6whj-8g9g-5jvx #1270) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1271.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-8w5q-5fpq-v4pm #1271) NOT_GO_CODE
- data/excluded/GO-2023-1272.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-x9p9-v3x6-68mq #1272) NOT_GO_CODE
- data/excluded/GO-2023-1285.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-42q2-m54f-jh95 #1285) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1286.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-5jqp-wmhj-g33f #1286) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1291.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-mfmp-8mqg-q4wm #1291) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1292.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-mq5q-gpgv-pwxw #1292) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1449.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-r3p3-5f35-h6mf #1449) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1460.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-8686-4cr3-76wj #1460) NOT_GO_CODE
- data/excluded/GO-2023-1461.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-9h7x-9pmh-7gg8 #1461) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1462.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-fpjc-cxr6-w6h8 #1462) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1465.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-h2ph-9r76-37v5 #1465) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1467.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-pcvh-px2p-vmxw #1467) NOT_GO_CODE
- data/excluded/GO-2023-1469.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-x22v-qgm2-7qc7 #1469) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2036.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-5j6p-59cj-j6cp #2036) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2037.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-96gq-6ch5-mm54 #2037) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2038.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-j2gj-g3p9-7mrr #2038) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2065.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-2g7r-9xq5-c6hv #2065) EFFECTIVELY_PRIVATE
- data/reports/GO-2023-1566.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos/server: CVE-2022-25978 #1566)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/usememos/memos
      versions:
        - fixed: 0.16.1
      vulnerable_at: 0.16.0
summary: memos vulnerable to Server-Side Request Forgery in /o/get/httpmeta in github.com/usememos/memos
cves:
    - CVE-2024-29028
ghsas:
    - GHSA-6fcf-g3mp-xj2x
references:
    - advisory: https://github.com/advisories/GHSA-6fcf-g3mp-xj2x
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-29028
    - fix: https://github.com/usememos/memos/commit/6ffc09d86a1302c384ef085aa70c7bddb3ce7ba9
    - web: https://securitylab.github.com/advisories/GHSL-2023-154_GHSL-2023-156_memos
source:
    id: GHSA-6fcf-g3mp-xj2x
    created: 2024-08-05T22:03:58.277163229Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2024-08-06T22:19:05Z

Change https://go.dev/cl/603715 mentions this issue: data/reports: add 20 unreviewed reports

gopherbot · 2024-08-06T22:32:26Z

Change https://go.dev/cl/603716 mentions this issue: data/reports: add 19 unreviewed reports

tatianab added the triaged label Aug 6, 2024

gopherbot closed this as completed in 1be2c0b Aug 6, 2024

GoVulnBot mentioned this issue Aug 22, 2024

x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-p4fx-qf2h-jpmj #3088

Closed

GoVulnBot mentioned this issue Nov 15, 2024

x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-5r2g-59px-3q9w #3274

Closed

GoVulnBot mentioned this issue Feb 27, 2025

x/vulndb: potential Go vuln in github.com/usememos/memos: CVE-2025-22952 #3492

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-6fcf-g3mp-xj2x #3047

x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-6fcf-g3mp-xj2x #3047

GoVulnBot commented Aug 5, 2024

gopherbot commented Aug 6, 2024

gopherbot commented Aug 6, 2024

x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-6fcf-g3mp-xj2x #3047

x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-6fcf-g3mp-xj2x #3047

Comments

GoVulnBot commented Aug 5, 2024

gopherbot commented Aug 6, 2024

gopherbot commented Aug 6, 2024