x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-p4fx-qf2h-jpmj

[GoVulnBot]

Advisory GHSA-p4fx-qf2h-jpmj references a vulnerability in the following Go modules:

Module
github.com/usememos/memos

Description: memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker to read private information or make privileged changes to the system as the vulnerable user account.

References:

• ADVISORY: https://github.com/advisories/GHSA-p4fx-qf2h-jpmj
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-41659
• FIX: https://github.com/usememos/memos/commit/8101a5e0b162044c16385bee4f12a4a653d050b9
• WEB: https://github.com/usememos/memos/blob/v0.20.1/server/server.go#L163
• WEB: https://securitylab.github.com/advisories/GHSL-2024-034_memos

Cross references:

• github.com/usememos/memos appears in 62 other report(s):
  • data/excluded/GO-2022-1173.yaml (https://github.com/golang/vulndb/issues/1173) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1226.yaml (https://github.com/golang/vulndb/issues/1226) NOT_GO_CODE
  • data/excluded/GO-2022-1228.yaml (https://github.com/golang/vulndb/issues/1228) NOT_GO_CODE
  • data/excluded/GO-2022-1254.yaml (https://github.com/golang/vulndb/issues/1254) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1255.yaml (https://github.com/golang/vulndb/issues/1255) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1258.yaml (https://github.com/golang/vulndb/issues/1258) NOT_GO_CODE
  • data/excluded/GO-2022-1262.yaml (https://github.com/golang/vulndb/issues/1262) NOT_GO_CODE
  • data/excluded/GO-2022-1265.yaml (https://github.com/golang/vulndb/issues/1265) NOT_GO_CODE
  • data/excluded/GO-2023-1271.yaml (https://github.com/golang/vulndb/issues/1271) NOT_GO_CODE
  • data/excluded/GO-2023-1272.yaml (https://github.com/golang/vulndb/issues/1272) NOT_GO_CODE
  • data/excluded/GO-2023-1286.yaml (https://github.com/golang/vulndb/issues/1286) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1460.yaml (https://github.com/golang/vulndb/issues/1460) NOT_GO_CODE
  • data/excluded/GO-2023-1467.yaml (https://github.com/golang/vulndb/issues/1467) NOT_GO_CODE
  • data/excluded/GO-2023-2037.yaml (https://github.com/golang/vulndb/issues/2037) EFFECTIVELY_PRIVATE
  • data/reports/GO-2022-1189.yaml (https://github.com/golang/vulndb/issues/1189)
  • data/reports/GO-2022-1190.yaml (https://github.com/golang/vulndb/issues/1190)
  • data/reports/GO-2022-1191.yaml (https://github.com/golang/vulndb/issues/1191)
  • data/reports/GO-2022-1192.yaml (https://github.com/golang/vulndb/issues/1192)
  • data/reports/GO-2022-1205.yaml (https://github.com/golang/vulndb/issues/1205)
  • data/reports/GO-2022-1215.yaml (https://github.com/golang/vulndb/issues/1215)
  • data/reports/GO-2022-1216.yaml (https://github.com/golang/vulndb/issues/1216)
  • data/reports/GO-2022-1217.yaml (https://github.com/golang/vulndb/issues/1217)
  • data/reports/GO-2022-1218.yaml (https://github.com/golang/vulndb/issues/1218)
  • data/reports/GO-2022-1219.yaml (https://github.com/golang/vulndb/issues/1219)
  • data/reports/GO-2022-1220.yaml (https://github.com/golang/vulndb/issues/1220)
  • data/reports/GO-2022-1225.yaml (https://github.com/golang/vulndb/issues/1225)
  • data/reports/GO-2022-1235.yaml (https://github.com/golang/vulndb/issues/1235)
  • data/reports/GO-2022-1236.yaml (https://github.com/golang/vulndb/issues/1236)
  • data/reports/GO-2022-1239.yaml (https://github.com/golang/vulndb/issues/1239)
  • data/reports/GO-2022-1240.yaml (https://github.com/golang/vulndb/issues/1240)
  • data/reports/GO-2022-1243.yaml (https://github.com/golang/vulndb/issues/1243)
  • data/reports/GO-2022-1244.yaml (https://github.com/golang/vulndb/issues/1244)
  • data/reports/GO-2022-1245.yaml (https://github.com/golang/vulndb/issues/1245)
  • data/reports/GO-2022-1248.yaml (https://github.com/golang/vulndb/issues/1248)
  • data/reports/GO-2022-1250.yaml (https://github.com/golang/vulndb/issues/1250)
  • data/reports/GO-2022-1251.yaml (https://github.com/golang/vulndb/issues/1251)
  • data/reports/GO-2022-1252.yaml (https://github.com/golang/vulndb/issues/1252)
  • data/reports/GO-2022-1253.yaml (https://github.com/golang/vulndb/issues/1253)
  • data/reports/GO-2022-1256.yaml (https://github.com/golang/vulndb/issues/1256)
  • data/reports/GO-2022-1257.yaml (https://github.com/golang/vulndb/issues/1257)
  • data/reports/GO-2022-1259.yaml (https://github.com/golang/vulndb/issues/1259)
  • data/reports/GO-2022-1260.yaml (https://github.com/golang/vulndb/issues/1260)
  • data/reports/GO-2022-1261.yaml (https://github.com/golang/vulndb/issues/1261)
  • data/reports/GO-2022-1263.yaml (https://github.com/golang/vulndb/issues/1263)
  • data/reports/GO-2022-1264.yaml (https://github.com/golang/vulndb/issues/1264)
  • data/reports/GO-2022-1266.yaml (https://github.com/golang/vulndb/issues/1266)
  • data/reports/GO-2023-1270.yaml (https://github.com/golang/vulndb/issues/1270)
  • data/reports/GO-2023-1285.yaml (https://github.com/golang/vulndb/issues/1285)
  • data/reports/GO-2023-1291.yaml (https://github.com/golang/vulndb/issues/1291)
  • data/reports/GO-2023-1292.yaml (https://github.com/golang/vulndb/issues/1292)
  • data/reports/GO-2023-1449.yaml (https://github.com/golang/vulndb/issues/1449)
  • data/reports/GO-2023-1461.yaml (https://github.com/golang/vulndb/issues/1461)
  • data/reports/GO-2023-1462.yaml (https://github.com/golang/vulndb/issues/1462)
  • data/reports/GO-2023-1465.yaml (https://github.com/golang/vulndb/issues/1465)
  • data/reports/GO-2023-1469.yaml (https://github.com/golang/vulndb/issues/1469)
  • data/reports/GO-2023-1566.yaml (https://github.com/golang/vulndb/issues/1566)
  • data/reports/GO-2023-2036.yaml (https://github.com/golang/vulndb/issues/2036)
  • data/reports/GO-2023-2038.yaml (https://github.com/golang/vulndb/issues/2038)
  • data/reports/GO-2023-2065.yaml (https://github.com/golang/vulndb/issues/2065)
  • data/reports/GO-2024-3046.yaml (https://github.com/golang/vulndb/issues/3046)
  • data/reports/GO-2024-3047.yaml (https://github.com/golang/vulndb/issues/3047)
  • data/reports/GO-2024-3049.yaml (https://github.com/golang/vulndb/issues/3049)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/usememos/memos
      versions:
        - fixed: 0.21.0
      vulnerable_at: 0.20.1
summary: memos CORS Misconfiguration in server.go (GHSL-2024-034) in github.com/usememos/memos
cves:
    - CVE-2024-41659
ghsas:
    - GHSA-p4fx-qf2h-jpmj
references:
    - advisory: https://github.com/advisories/GHSA-p4fx-qf2h-jpmj
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41659
    - fix: https://github.com/usememos/memos/commit/8101a5e0b162044c16385bee4f12a4a653d050b9
    - web: https://github.com/usememos/memos/blob/v0.20.1/server/server.go#L163
    - web: https://securitylab.github.com/advisories/GHSL-2024-034_memos
source:
    id: GHSA-p4fx-qf2h-jpmj
    created: 2024-08-22T18:01:14.483883165Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/609141 mentions this issue: data/reports: add 21 unreviewed reports