x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-9cqm-mgv9-vv9j

[GoVulnBot]

Advisory GHSA-9cqm-mgv9-vv9j references a vulnerability in the following Go modules:

Module
github.com/usememos/memos

Description: memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/image that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the image request is then copied into the response of the current server request, causing a reflected XSS vulnerability. Version 0.22.0 of memos removes the vulnerable file.

References:

• ADVISORY: https://github.com/advisories/GHSA-9cqm-mgv9-vv9j
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-29029
• FIX: https://github.com/usememos/memos/commit/bbd206e8930281eb040cc8c549641455892b9eb5
• WEB: https://github.com/usememos/memos/blob/06dbd8731161245444f4b50f4f9ed267f7c3cf63/api/v1/http_getter.go#L29
• WEB: https://securitylab.github.com/advisories/GHSL-2023-154_GHSL-2023-156_memos

Cross references:

• github.com/usememos/memos appears in 59 other report(s):
  • data/excluded/GO-2022-1173.yaml (https://github.com/golang/vulndb/issues/1173) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1189.yaml (https://github.com/golang/vulndb/issues/1189) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1190.yaml (https://github.com/golang/vulndb/issues/1190) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1191.yaml (https://github.com/golang/vulndb/issues/1191) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1192.yaml (https://github.com/golang/vulndb/issues/1192) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1205.yaml (https://github.com/golang/vulndb/issues/1205) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1215.yaml (https://github.com/golang/vulndb/issues/1215) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1216.yaml (https://github.com/golang/vulndb/issues/1216) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1217.yaml (https://github.com/golang/vulndb/issues/1217) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1218.yaml (https://github.com/golang/vulndb/issues/1218) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1219.yaml (https://github.com/golang/vulndb/issues/1219) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1220.yaml (https://github.com/golang/vulndb/issues/1220) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1225.yaml (https://github.com/golang/vulndb/issues/1225) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1226.yaml (https://github.com/golang/vulndb/issues/1226) NOT_GO_CODE
  • data/excluded/GO-2022-1228.yaml (https://github.com/golang/vulndb/issues/1228) NOT_GO_CODE
  • data/excluded/GO-2022-1235.yaml (https://github.com/golang/vulndb/issues/1235) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1236.yaml (https://github.com/golang/vulndb/issues/1236) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1239.yaml (https://github.com/golang/vulndb/issues/1239) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1240.yaml (https://github.com/golang/vulndb/issues/1240) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1243.yaml (https://github.com/golang/vulndb/issues/1243) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1244.yaml (https://github.com/golang/vulndb/issues/1244) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1245.yaml (https://github.com/golang/vulndb/issues/1245) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1248.yaml (https://github.com/golang/vulndb/issues/1248) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1250.yaml (https://github.com/golang/vulndb/issues/1250) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1251.yaml (https://github.com/golang/vulndb/issues/1251) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1252.yaml (https://github.com/golang/vulndb/issues/1252) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1253.yaml (https://github.com/golang/vulndb/issues/1253) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1254.yaml (https://github.com/golang/vulndb/issues/1254) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1255.yaml (https://github.com/golang/vulndb/issues/1255) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1256.yaml (https://github.com/golang/vulndb/issues/1256) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1257.yaml (https://github.com/golang/vulndb/issues/1257) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1258.yaml (https://github.com/golang/vulndb/issues/1258) NOT_GO_CODE
  • data/excluded/GO-2022-1259.yaml (https://github.com/golang/vulndb/issues/1259) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1260.yaml (https://github.com/golang/vulndb/issues/1260) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1261.yaml (https://github.com/golang/vulndb/issues/1261) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1262.yaml (https://github.com/golang/vulndb/issues/1262) NOT_GO_CODE
  • data/excluded/GO-2022-1263.yaml (https://github.com/golang/vulndb/issues/1263) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1264.yaml (https://github.com/golang/vulndb/issues/1264) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1265.yaml (https://github.com/golang/vulndb/issues/1265) NOT_GO_CODE
  • data/excluded/GO-2022-1266.yaml (https://github.com/golang/vulndb/issues/1266) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1270.yaml (https://github.com/golang/vulndb/issues/1270) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1271.yaml (https://github.com/golang/vulndb/issues/1271) NOT_GO_CODE
  • data/excluded/GO-2023-1272.yaml (https://github.com/golang/vulndb/issues/1272) NOT_GO_CODE
  • data/excluded/GO-2023-1285.yaml (https://github.com/golang/vulndb/issues/1285) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1286.yaml (https://github.com/golang/vulndb/issues/1286) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1291.yaml (https://github.com/golang/vulndb/issues/1291) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1292.yaml (https://github.com/golang/vulndb/issues/1292) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1449.yaml (https://github.com/golang/vulndb/issues/1449) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1460.yaml (https://github.com/golang/vulndb/issues/1460) NOT_GO_CODE
  • data/excluded/GO-2023-1461.yaml (https://github.com/golang/vulndb/issues/1461) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1462.yaml (https://github.com/golang/vulndb/issues/1462) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1465.yaml (https://github.com/golang/vulndb/issues/1465) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1467.yaml (https://github.com/golang/vulndb/issues/1467) NOT_GO_CODE
  • data/excluded/GO-2023-1469.yaml (https://github.com/golang/vulndb/issues/1469) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2036.yaml (https://github.com/golang/vulndb/issues/2036) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2037.yaml (https://github.com/golang/vulndb/issues/2037) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2038.yaml (https://github.com/golang/vulndb/issues/2038) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2065.yaml (https://github.com/golang/vulndb/issues/2065) EFFECTIVELY_PRIVATE
  • data/reports/GO-2023-1566.yaml (https://github.com/golang/vulndb/issues/1566)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/usememos/memos
      versions:
        - fixed: 0.22.0
      vulnerable_at: 0.21.1
summary: memos vulnerable to Server-Side Request Forgery and Cross-site Scripting in github.com/usememos/memos
cves:
    - CVE-2024-29029
ghsas:
    - GHSA-9cqm-mgv9-vv9j
references:
    - advisory: https://github.com/advisories/GHSA-9cqm-mgv9-vv9j
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-29029
    - fix: https://github.com/usememos/memos/commit/bbd206e8930281eb040cc8c549641455892b9eb5
    - web: https://github.com/usememos/memos/blob/06dbd8731161245444f4b50f4f9ed267f7c3cf63/api/v1/http_getter.go#L29
    - web: https://securitylab.github.com/advisories/GHSL-2023-154_GHSL-2023-156_memos
source:
    id: GHSA-9cqm-mgv9-vv9j
    created: 2024-08-05T22:03:59.947759636Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/603715 mentions this issue: data/reports: add 20 unreviewed reports

[gopherbot]

Change https://go.dev/cl/603716 mentions this issue: data/reports: add 19 unreviewed reports