CVE-2024-29030 - OpenCVE

memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /api/resource that allows authenticated users to enumerate the internal network.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://github.com/usememos/memos/blob/06dbd8731161245444f4b50f4f9ed267f7c3cf63/api/v1/resource.go#L83
https://github.com/usememos/memos/commit/bbd206e8930281eb040cc8c549641455892b9eb5
https://securitylab.github.com/advisories/GHSL-2023-154_GHSL-2023-156_memos/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-04-19T15:13:59.762Z

Updated: 2024-06-04T17:56:52.117Z

Reserved: 2024-03-14T16:59:47.612Z

Link: CVE-2024-29030

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-04-19T15:15:50.430

Modified: 2024-04-19T16:19:49.043

Link: CVE-2024-29030

JSON object: View

Redhat Information

No data.

CWE

CWE-918

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-29030", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-14T16:59:47.612Z", "datePublished": "2024-04-19T15:13:59.762Z", "dateUpdated": "2024-06-04T17:56:52.117Z"}, "containers": {"cna": {"title": "memos vulnerable to an SSRF in /api/resource", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://securitylab.github.com/advisories/GHSL-2023-154_GHSL-2023-156_memos/", "tags": ["x_refsource_CONFIRM"], "url": "https://securitylab.github.com/advisories/GHSL-2023-154_GHSL-2023-156_memos/"}, {"name": "https://github.com/usememos/memos/commit/bbd206e8930281eb040cc8c549641455892b9eb5", "tags": ["x_refsource_MISC"], "url": "https://github.com/usememos/memos/commit/bbd206e8930281eb040cc8c549641455892b9eb5"}, {"name": "https://github.com/usememos/memos/blob/06dbd8731161245444f4b50f4f9ed267f7c3cf63/api/v1/resource.go#L83", "tags": ["x_refsource_MISC"], "url": "https://github.com/usememos/memos/blob/06dbd8731161245444f4b50f4f9ed267f7c3cf63/api/v1/resource.go#L83"}], "affected": [{"vendor": "usememos", "product": "memos", "versions": [{"version": "<= 0.13.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-19T15:45:16.548Z"}, "descriptions": [{"lang": "en", "value": "memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /api/resource that allows authenticated users to enumerate the internal network."}], "source": {"advisory": "GHSA-65fm-2jgr-j7qq", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-29030", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-23T19:28:06.897220Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:memos:memos:0.13.2:*:*:*:*:*:*:*"], "vendor": "memos", "product": "memos", "versions": [{"status": "affected", "version": "0.13.2"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:56:52.117Z"}}]}}