github.com/usememos/memos: CVE-2024-29030 #26

tatianab · 2024-08-01T20:30:22Z

Advisory CVE-2024-29030 references a vulnerability in the following Go modules:

Module
github.com/usememos/memos

Description:
memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /api/resource that allows authenticated users to enumerate the internal network. Version 0.22.0 of memos removes the vulnerable file.

References:

Cross references:

github.com/usememos/memos appears in 59 other report(s):
- data/excluded/GO-2022-1173.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-rgj5-jj5q-v3v7 golang/vulndb#1173) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1189.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-c8jh-vcjh-fx2w golang/vulndb#1189) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1190.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-vwg4-846x-f94v golang/vulndb#1190) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1191.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-w57v-6xp4-rm2v golang/vulndb#1191) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1192.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qcw2-492v-57xj golang/vulndb#1192) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1205.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-9v48-2h5x-fvpm golang/vulndb#1205) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1215.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-68gw-r2x5-7r5r golang/vulndb#1215) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1216.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-f552-97qx-c694 golang/vulndb#1216) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1217.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-fv6c-rfg3-gvjw golang/vulndb#1217) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1218.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qr52-59r6-49f4 golang/vulndb#1218) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1219.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-33m8-f4hw-wm3q golang/vulndb#1219) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1220.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-j593-h5v3-45x6 golang/vulndb#1220) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1225.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-97rc-mm5j-f6rj golang/vulndb#1225) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1226.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-c2v4-8r9g-g5xj golang/vulndb#1226) NOT_GO_CODE
- data/excluded/GO-2022-1228.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-v92p-phmp-xffr golang/vulndb#1228) NOT_GO_CODE
- data/excluded/GO-2022-1235.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-f83p-pg86-p922 golang/vulndb#1235) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1236.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-ghx2-6v4g-9wmm golang/vulndb#1236) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1239.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-jvq8-w7qv-hqp6 golang/vulndb#1239) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1240.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-mfvq-m3jj-8864 golang/vulndb#1240) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1243.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qcf5-m2c6-89f2 golang/vulndb#1243) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1244.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qrrf-xvcf-p64q golang/vulndb#1244) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1245.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qw36-rw5q-gxcq golang/vulndb#1245) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1248.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-rx2m-xr4x-54hh golang/vulndb#1248) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1250.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-642q-2q68-9j3p golang/vulndb#1250) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1251.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-6fx9-29x2-fmfj golang/vulndb#1251) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1252.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-6w5w-wx8w-2cq9 golang/vulndb#1252) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1253.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-7qpw-2j9m-rw8c golang/vulndb#1253) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1254.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-c5hq-35h7-r9x4 golang/vulndb#1254) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1255.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-cwrm-33qq-4w2x golang/vulndb#1255) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1256.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-gfj4-wg89-m22r golang/vulndb#1256) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1257.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-gw9m-2m5v-c6x5 golang/vulndb#1257) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1258.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-gxqf-4g4p-q3hc golang/vulndb#1258) NOT_GO_CODE
- data/excluded/GO-2022-1259.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-hc5q-26h8-r9wf golang/vulndb#1259) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1260.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-m5pr-wm6q-x4g2 golang/vulndb#1260) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1261.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-pp3p-6jjh-rmg7 golang/vulndb#1261) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1262.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-pwhr-p68w-296x golang/vulndb#1262) NOT_GO_CODE
- data/excluded/GO-2022-1263.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qf9q-3wwx-8qjv golang/vulndb#1263) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1264.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-r7hg-2cpp-8wqq golang/vulndb#1264) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1265.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-rmhx-9h5h-3xh3 golang/vulndb#1265) NOT_GO_CODE
- data/excluded/GO-2022-1266.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-vh43-cc6x-prpr golang/vulndb#1266) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1270.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-6whj-8g9g-5jvx golang/vulndb#1270) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1271.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-8w5q-5fpq-v4pm golang/vulndb#1271) NOT_GO_CODE
- data/excluded/GO-2023-1272.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-x9p9-v3x6-68mq golang/vulndb#1272) NOT_GO_CODE
- data/excluded/GO-2023-1285.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-42q2-m54f-jh95 golang/vulndb#1285) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1286.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-5jqp-wmhj-g33f golang/vulndb#1286) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1291.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-mfmp-8mqg-q4wm golang/vulndb#1291) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1292.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-mq5q-gpgv-pwxw golang/vulndb#1292) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1449.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-r3p3-5f35-h6mf golang/vulndb#1449) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1460.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-8686-4cr3-76wj golang/vulndb#1460) NOT_GO_CODE
- data/excluded/GO-2023-1461.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-9h7x-9pmh-7gg8 golang/vulndb#1461) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1462.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-fpjc-cxr6-w6h8 golang/vulndb#1462) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1465.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-h2ph-9r76-37v5 golang/vulndb#1465) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1467.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-pcvh-px2p-vmxw golang/vulndb#1467) NOT_GO_CODE
- data/excluded/GO-2023-1469.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-x22v-qgm2-7qc7 golang/vulndb#1469) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2036.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-5j6p-59cj-j6cp golang/vulndb#2036) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2037.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-96gq-6ch5-mm54 golang/vulndb#2037) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2038.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-j2gj-g3p9-7mrr golang/vulndb#2038) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2065.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-2g7r-9xq5-c6hv golang/vulndb#2065) EFFECTIVELY_PRIVATE
- data/reports/GO-2023-1566.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos/server: CVE-2022-25978 golang/vulndb#1566)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/usememos/memos
      versions:
        - fixed: 0.22.0
      vulnerable_at: 0.21.1
summary: memos vulnerable to an SSRF in /api/resource in github.com/usememos/memos
cves:
    - CVE-2024-29030
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-29030
    - fix: https://github.com/usememos/memos/commit/bbd206e8930281eb040cc8c549641455892b9eb5
    - web: https://github.com/usememos/memos/blob/06dbd8731161245444f4b50f4f9ed267f7c3cf63/api/v1/resource.go#L83
    - web: https://securitylab.github.com/advisories/GHSL-2023-154_GHSL-2023-156_memos/
source:
    id: CVE-2024-29030
    created: 2024-08-01T16:30:22.143472-04:00
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

github.com/usememos/memos: CVE-2024-29030 #26

github.com/usememos/memos: CVE-2024-29030 #26

tatianab commented Aug 1, 2024

github.com/usememos/memos: CVE-2024-29030 #26

github.com/usememos/memos: CVE-2024-29030 #26

Comments

tatianab commented Aug 1, 2024