x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-65fm-2jgr-j7qq

[GoVulnBot]

Advisory GHSA-65fm-2jgr-j7qq references a vulnerability in the following Go modules:

Module
github.com/usememos/memos

Description: memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /api/resource that allows authenticated users to enumerate the internal network. Version 0.22.0 of memos removes the vulnerable file.

References:

• ADVISORY: https://github.com/advisories/GHSA-65fm-2jgr-j7qq
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-29030
• FIX: https://github.com/usememos/memos/commit/bbd206e8930281eb040cc8c549641455892b9eb5
• WEB: https://github.com/usememos/memos/blob/06dbd8731161245444f4b50f4f9ed267f7c3cf63/api/v1/resource.go#L83
• WEB: https://securitylab.github.com/advisories/GHSL-2023-154_GHSL-2023-156_memos

Cross references:

• github.com/usememos/memos appears in 59 other report(s):
  • data/excluded/GO-2022-1173.yaml (https://github.com/golang/vulndb/issues/1173) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1189.yaml (https://github.com/golang/vulndb/issues/1189) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1190.yaml (https://github.com/golang/vulndb/issues/1190) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1191.yaml (https://github.com/golang/vulndb/issues/1191) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1192.yaml (https://github.com/golang/vulndb/issues/1192) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1205.yaml (https://github.com/golang/vulndb/issues/1205) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1215.yaml (https://github.com/golang/vulndb/issues/1215) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1216.yaml (https://github.com/golang/vulndb/issues/1216) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1217.yaml (https://github.com/golang/vulndb/issues/1217) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1218.yaml (https://github.com/golang/vulndb/issues/1218) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1219.yaml (https://github.com/golang/vulndb/issues/1219) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1220.yaml (https://github.com/golang/vulndb/issues/1220) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1225.yaml (https://github.com/golang/vulndb/issues/1225) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1226.yaml (https://github.com/golang/vulndb/issues/1226) NOT_GO_CODE
  • data/excluded/GO-2022-1228.yaml (https://github.com/golang/vulndb/issues/1228) NOT_GO_CODE
  • data/excluded/GO-2022-1235.yaml (https://github.com/golang/vulndb/issues/1235) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1236.yaml (https://github.com/golang/vulndb/issues/1236) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1239.yaml (https://github.com/golang/vulndb/issues/1239) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1240.yaml (https://github.com/golang/vulndb/issues/1240) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1243.yaml (https://github.com/golang/vulndb/issues/1243) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1244.yaml (https://github.com/golang/vulndb/issues/1244) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1245.yaml (https://github.com/golang/vulndb/issues/1245) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1248.yaml (https://github.com/golang/vulndb/issues/1248) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1250.yaml (https://github.com/golang/vulndb/issues/1250) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1251.yaml (https://github.com/golang/vulndb/issues/1251) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1252.yaml (https://github.com/golang/vulndb/issues/1252) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1253.yaml (https://github.com/golang/vulndb/issues/1253) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1254.yaml (https://github.com/golang/vulndb/issues/1254) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1255.yaml (https://github.com/golang/vulndb/issues/1255) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1256.yaml (https://github.com/golang/vulndb/issues/1256) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1257.yaml (https://github.com/golang/vulndb/issues/1257) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1258.yaml (https://github.com/golang/vulndb/issues/1258) NOT_GO_CODE
  • data/excluded/GO-2022-1259.yaml (https://github.com/golang/vulndb/issues/1259) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1260.yaml (https://github.com/golang/vulndb/issues/1260) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1261.yaml (https://github.com/golang/vulndb/issues/1261) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1262.yaml (https://github.com/golang/vulndb/issues/1262) NOT_GO_CODE
  • data/excluded/GO-2022-1263.yaml (https://github.com/golang/vulndb/issues/1263) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1264.yaml (https://github.com/golang/vulndb/issues/1264) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1265.yaml (https://github.com/golang/vulndb/issues/1265) NOT_GO_CODE
  • data/excluded/GO-2022-1266.yaml (https://github.com/golang/vulndb/issues/1266) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1270.yaml (https://github.com/golang/vulndb/issues/1270) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1271.yaml (https://github.com/golang/vulndb/issues/1271) NOT_GO_CODE
  • data/excluded/GO-2023-1272.yaml (https://github.com/golang/vulndb/issues/1272) NOT_GO_CODE
  • data/excluded/GO-2023-1285.yaml (https://github.com/golang/vulndb/issues/1285) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1286.yaml (https://github.com/golang/vulndb/issues/1286) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1291.yaml (https://github.com/golang/vulndb/issues/1291) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1292.yaml (https://github.com/golang/vulndb/issues/1292) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1449.yaml (https://github.com/golang/vulndb/issues/1449) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1460.yaml (https://github.com/golang/vulndb/issues/1460) NOT_GO_CODE
  • data/excluded/GO-2023-1461.yaml (https://github.com/golang/vulndb/issues/1461) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1462.yaml (https://github.com/golang/vulndb/issues/1462) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1465.yaml (https://github.com/golang/vulndb/issues/1465) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1467.yaml (https://github.com/golang/vulndb/issues/1467) NOT_GO_CODE
  • data/excluded/GO-2023-1469.yaml (https://github.com/golang/vulndb/issues/1469) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2036.yaml (https://github.com/golang/vulndb/issues/2036) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2037.yaml (https://github.com/golang/vulndb/issues/2037) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2038.yaml (https://github.com/golang/vulndb/issues/2038) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2065.yaml (https://github.com/golang/vulndb/issues/2065) EFFECTIVELY_PRIVATE
  • data/reports/GO-2023-1566.yaml (https://github.com/golang/vulndb/issues/1566)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/usememos/memos
      versions:
        - fixed: 0.22.0
      vulnerable_at: 0.21.1
summary: memos vulnerable to Server-Side Request Forgery in /api/resource in github.com/usememos/memos
cves:
    - CVE-2024-29030
ghsas:
    - GHSA-65fm-2jgr-j7qq
references:
    - advisory: https://github.com/advisories/GHSA-65fm-2jgr-j7qq
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-29030
    - fix: https://github.com/usememos/memos/commit/bbd206e8930281eb040cc8c549641455892b9eb5
    - web: https://github.com/usememos/memos/blob/06dbd8731161245444f4b50f4f9ed267f7c3cf63/api/v1/resource.go#L83
    - web: https://securitylab.github.com/advisories/GHSL-2023-154_GHSL-2023-156_memos
source:
    id: GHSA-65fm-2jgr-j7qq
    created: 2024-08-05T22:03:57.186965461Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/603715 mentions this issue: data/reports: add 20 unreviewed reports

[gopherbot]

Change https://go.dev/cl/603716 mentions this issue: data/reports: add 19 unreviewed reports