x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-p4fx-qf2h-jpmj #3088

GoVulnBot · 2024-08-22T18:01:15Z

Advisory GHSA-p4fx-qf2h-jpmj references a vulnerability in the following Go modules:

Module
github.com/usememos/memos

Description:
memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker to read private information or make privileged changes to the system as the vulnerable user account.

References:

ADVISORY: GHSA-p4fx-qf2h-jpmj
ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-41659
FIX: usememos/memos@8101a5e
WEB: https://github.com/usememos/memos/blob/v0.20.1/server/server.go#L163
WEB: https://securitylab.github.com/advisories/GHSL-2024-034_memos

Cross references:

github.com/usememos/memos appears in 62 other report(s):
- data/excluded/GO-2022-1173.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-rgj5-jj5q-v3v7 #1173) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1226.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-c2v4-8r9g-g5xj #1226) NOT_GO_CODE
- data/excluded/GO-2022-1228.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-v92p-phmp-xffr #1228) NOT_GO_CODE
- data/excluded/GO-2022-1254.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-c5hq-35h7-r9x4 #1254) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1255.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-cwrm-33qq-4w2x #1255) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-1258.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-gxqf-4g4p-q3hc #1258) NOT_GO_CODE
- data/excluded/GO-2022-1262.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-pwhr-p68w-296x #1262) NOT_GO_CODE
- data/excluded/GO-2022-1265.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-rmhx-9h5h-3xh3 #1265) NOT_GO_CODE
- data/excluded/GO-2023-1271.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-8w5q-5fpq-v4pm #1271) NOT_GO_CODE
- data/excluded/GO-2023-1272.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-x9p9-v3x6-68mq #1272) NOT_GO_CODE
- data/excluded/GO-2023-1286.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-5jqp-wmhj-g33f #1286) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1460.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-8686-4cr3-76wj #1460) NOT_GO_CODE
- data/excluded/GO-2023-1467.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-pcvh-px2p-vmxw #1467) NOT_GO_CODE
- data/excluded/GO-2023-2037.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-96gq-6ch5-mm54 #2037) EFFECTIVELY_PRIVATE
- data/reports/GO-2022-1189.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-c8jh-vcjh-fx2w #1189)
- data/reports/GO-2022-1190.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-vwg4-846x-f94v #1190)
- data/reports/GO-2022-1191.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-w57v-6xp4-rm2v #1191)
- data/reports/GO-2022-1192.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qcw2-492v-57xj #1192)
- data/reports/GO-2022-1205.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-9v48-2h5x-fvpm #1205)
- data/reports/GO-2022-1215.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-68gw-r2x5-7r5r #1215)
- data/reports/GO-2022-1216.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-f552-97qx-c694 #1216)
- data/reports/GO-2022-1217.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-fv6c-rfg3-gvjw #1217)
- data/reports/GO-2022-1218.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qr52-59r6-49f4 #1218)
- data/reports/GO-2022-1219.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-33m8-f4hw-wm3q #1219)
- data/reports/GO-2022-1220.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-j593-h5v3-45x6 #1220)
- data/reports/GO-2022-1225.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-97rc-mm5j-f6rj #1225)
- data/reports/GO-2022-1235.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-f83p-pg86-p922 #1235)
- data/reports/GO-2022-1236.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-ghx2-6v4g-9wmm #1236)
- data/reports/GO-2022-1239.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-jvq8-w7qv-hqp6 #1239)
- data/reports/GO-2022-1240.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-mfvq-m3jj-8864 #1240)
- data/reports/GO-2022-1243.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qcf5-m2c6-89f2 #1243)
- data/reports/GO-2022-1244.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qrrf-xvcf-p64q #1244)
- data/reports/GO-2022-1245.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qw36-rw5q-gxcq #1245)
- data/reports/GO-2022-1248.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-rx2m-xr4x-54hh #1248)
- data/reports/GO-2022-1250.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-642q-2q68-9j3p #1250)
- data/reports/GO-2022-1251.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-6fx9-29x2-fmfj #1251)
- data/reports/GO-2022-1252.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-6w5w-wx8w-2cq9 #1252)
- data/reports/GO-2022-1253.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-7qpw-2j9m-rw8c #1253)
- data/reports/GO-2022-1256.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-gfj4-wg89-m22r #1256)
- data/reports/GO-2022-1257.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-gw9m-2m5v-c6x5 #1257)
- data/reports/GO-2022-1259.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-hc5q-26h8-r9wf #1259)
- data/reports/GO-2022-1260.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-m5pr-wm6q-x4g2 #1260)
- data/reports/GO-2022-1261.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-pp3p-6jjh-rmg7 #1261)
- data/reports/GO-2022-1263.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qf9q-3wwx-8qjv #1263)
- data/reports/GO-2022-1264.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-r7hg-2cpp-8wqq #1264)
- data/reports/GO-2022-1266.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-vh43-cc6x-prpr #1266)
- data/reports/GO-2023-1270.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-6whj-8g9g-5jvx #1270)
- data/reports/GO-2023-1285.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-42q2-m54f-jh95 #1285)
- data/reports/GO-2023-1291.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-mfmp-8mqg-q4wm #1291)
- data/reports/GO-2023-1292.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-mq5q-gpgv-pwxw #1292)
- data/reports/GO-2023-1449.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-r3p3-5f35-h6mf #1449)
- data/reports/GO-2023-1461.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-9h7x-9pmh-7gg8 #1461)
- data/reports/GO-2023-1462.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-fpjc-cxr6-w6h8 #1462)
- data/reports/GO-2023-1465.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-h2ph-9r76-37v5 #1465)
- data/reports/GO-2023-1469.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-x22v-qgm2-7qc7 #1469)
- data/reports/GO-2023-1566.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos/server: CVE-2022-25978 #1566)
- data/reports/GO-2023-2036.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-5j6p-59cj-j6cp #2036)
- data/reports/GO-2023-2038.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-j2gj-g3p9-7mrr #2038)
- data/reports/GO-2023-2065.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-2g7r-9xq5-c6hv #2065)
- data/reports/GO-2024-3046.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-65fm-2jgr-j7qq #3046)
- data/reports/GO-2024-3047.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-6fcf-g3mp-xj2x #3047)
- data/reports/GO-2024-3049.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-9cqm-mgv9-vv9j #3049)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/usememos/memos
      versions:
        - fixed: 0.21.0
      vulnerable_at: 0.20.1
summary: memos CORS Misconfiguration in server.go (GHSL-2024-034) in github.com/usememos/memos
cves:
    - CVE-2024-41659
ghsas:
    - GHSA-p4fx-qf2h-jpmj
references:
    - advisory: https://github.com/advisories/GHSA-p4fx-qf2h-jpmj
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41659
    - fix: https://github.com/usememos/memos/commit/8101a5e0b162044c16385bee4f12a4a653d050b9
    - web: https://github.com/usememos/memos/blob/v0.20.1/server/server.go#L163
    - web: https://securitylab.github.com/advisories/GHSL-2024-034_memos
source:
    id: GHSA-p4fx-qf2h-jpmj
    created: 2024-08-22T18:01:14.483883165Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2024-08-30T16:03:59Z

Change https://go.dev/cl/609141 mentions this issue: data/reports: add 21 unreviewed reports

ianthehat added the triaged label Aug 23, 2024

gopherbot closed this as completed in fe86cd7 Aug 30, 2024

GoVulnBot mentioned this issue Nov 15, 2024

x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-5r2g-59px-3q9w #3274

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-p4fx-qf2h-jpmj #3088

x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-p4fx-qf2h-jpmj #3088

GoVulnBot commented Aug 22, 2024

gopherbot commented Aug 30, 2024

x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-p4fx-qf2h-jpmj #3088

x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-p4fx-qf2h-jpmj #3088

Comments

GoVulnBot commented Aug 22, 2024

gopherbot commented Aug 30, 2024