github.com/usememos/memos: CVE-2024-29029 #25

tatianab · 2024-08-01T20:30:21Z

Advisory CVE-2024-29029 references a vulnerability in the following Go modules:

Module
github.com/usememos/memos

Description:
memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/image that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the image request is then copied into the response of the current server request, causing a reflected XSS vulnerability. Version 0.22.0 of memos removes the vulnerable file.

References:

Cross references:

github.com/usememos/memos appears in 59 other report(s):
- data/excluded/GO-2022-1173.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-rgj5-jj5q-v3v7 golang/vulndb#1173) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1189.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-c8jh-vcjh-fx2w golang/vulndb#1189) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1190.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-vwg4-846x-f94v golang/vulndb#1190) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1191.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-w57v-6xp4-rm2v golang/vulndb#1191) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1192.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qcw2-492v-57xj golang/vulndb#1192) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1205.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-9v48-2h5x-fvpm golang/vulndb#1205) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1215.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-68gw-r2x5-7r5r golang/vulndb#1215) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1216.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-f552-97qx-c694 golang/vulndb#1216) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1217.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-fv6c-rfg3-gvjw golang/vulndb#1217) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1218.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qr52-59r6-49f4 golang/vulndb#1218) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1219.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-33m8-f4hw-wm3q golang/vulndb#1219) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1220.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-j593-h5v3-45x6 golang/vulndb#1220) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1225.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-97rc-mm5j-f6rj golang/vulndb#1225) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1226.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-c2v4-8r9g-g5xj golang/vulndb#1226) NOT_GO_CODE
- data/excluded/GO-2022-1228.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-v92p-phmp-xffr golang/vulndb#1228) NOT_GO_CODE
- data/excluded/GO-2022-1235.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-f83p-pg86-p922 golang/vulndb#1235) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1236.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-ghx2-6v4g-9wmm golang/vulndb#1236) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1239.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-jvq8-w7qv-hqp6 golang/vulndb#1239) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1240.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-mfvq-m3jj-8864 golang/vulndb#1240) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1243.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qcf5-m2c6-89f2 golang/vulndb#1243) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1244.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qrrf-xvcf-p64q golang/vulndb#1244) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1245.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qw36-rw5q-gxcq golang/vulndb#1245) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1248.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-rx2m-xr4x-54hh golang/vulndb#1248) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1250.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-642q-2q68-9j3p golang/vulndb#1250) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1251.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-6fx9-29x2-fmfj golang/vulndb#1251) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1252.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-6w5w-wx8w-2cq9 golang/vulndb#1252) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1253.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-7qpw-2j9m-rw8c golang/vulndb#1253) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1254.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-c5hq-35h7-r9x4 golang/vulndb#1254) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1255.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-cwrm-33qq-4w2x golang/vulndb#1255) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1256.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-gfj4-wg89-m22r golang/vulndb#1256) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1257.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-gw9m-2m5v-c6x5 golang/vulndb#1257) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1258.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-gxqf-4g4p-q3hc golang/vulndb#1258) NOT_GO_CODE
- data/excluded/GO-2022-1259.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-hc5q-26h8-r9wf golang/vulndb#1259) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1260.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-m5pr-wm6q-x4g2 golang/vulndb#1260) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1261.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-pp3p-6jjh-rmg7 golang/vulndb#1261) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1262.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-pwhr-p68w-296x golang/vulndb#1262) NOT_GO_CODE
- data/excluded/GO-2022-1263.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qf9q-3wwx-8qjv golang/vulndb#1263) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1264.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-r7hg-2cpp-8wqq golang/vulndb#1264) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1265.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-rmhx-9h5h-3xh3 golang/vulndb#1265) NOT_GO_CODE
- data/excluded/GO-2022-1266.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-vh43-cc6x-prpr golang/vulndb#1266) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1270.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-6whj-8g9g-5jvx golang/vulndb#1270) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1271.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-8w5q-5fpq-v4pm golang/vulndb#1271) NOT_GO_CODE
- data/excluded/GO-2023-1272.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-x9p9-v3x6-68mq golang/vulndb#1272) NOT_GO_CODE
- data/excluded/GO-2023-1285.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-42q2-m54f-jh95 golang/vulndb#1285) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1286.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-5jqp-wmhj-g33f golang/vulndb#1286) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1291.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-mfmp-8mqg-q4wm golang/vulndb#1291) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1292.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-mq5q-gpgv-pwxw golang/vulndb#1292) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1449.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-r3p3-5f35-h6mf golang/vulndb#1449) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1460.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-8686-4cr3-76wj golang/vulndb#1460) NOT_GO_CODE
- data/excluded/GO-2023-1461.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-9h7x-9pmh-7gg8 golang/vulndb#1461) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1462.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-fpjc-cxr6-w6h8 golang/vulndb#1462) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1465.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-h2ph-9r76-37v5 golang/vulndb#1465) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1467.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-pcvh-px2p-vmxw golang/vulndb#1467) NOT_GO_CODE
- data/excluded/GO-2023-1469.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-x22v-qgm2-7qc7 golang/vulndb#1469) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2036.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-5j6p-59cj-j6cp golang/vulndb#2036) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2037.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-96gq-6ch5-mm54 golang/vulndb#2037) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2038.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-j2gj-g3p9-7mrr golang/vulndb#2038) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2065.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-2g7r-9xq5-c6hv golang/vulndb#2065) EFFECTIVELY_PRIVATE
- data/reports/GO-2023-1566.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos/server: CVE-2022-25978 golang/vulndb#1566)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/usememos/memos
      versions:
        - fixed: 0.22.0
      vulnerable_at: 0.21.1
summary: memos vulnerable to an SSRF in /o/get/image in github.com/usememos/memos
cves:
    - CVE-2024-29029
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-29029
    - fix: https://github.com/usememos/memos/commit/bbd206e8930281eb040cc8c549641455892b9eb5
    - web: https://github.com/usememos/memos/blob/06dbd8731161245444f4b50f4f9ed267f7c3cf63/api/v1/http_getter.go#L29
    - web: https://securitylab.github.com/advisories/GHSL-2023-154_GHSL-2023-156_memos/
source:
    id: CVE-2024-29029
    created: 2024-08-01T16:30:20.880596-04:00
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

github.com/usememos/memos: CVE-2024-29029 #25

github.com/usememos/memos: CVE-2024-29029 #25

tatianab commented Aug 1, 2024

github.com/usememos/memos: CVE-2024-29029 #25

github.com/usememos/memos: CVE-2024-29029 #25

Comments

tatianab commented Aug 1, 2024