Moderate severityNVD Advisory· Published Apr 19, 2024· Updated Aug 2, 2024
memos vulnerable to an SSRF in /o/get/image
CVE-2024-29029
Description
memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/image that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the image request is then copied into the response of the current server request, causing a reflected XSS vulnerability. Version 0.22.0 of memos removes the vulnerable file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/usememos/memosGo | < 0.22.0 | 0.22.0 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-9cqm-mgv9-vv9jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-29029ghsaADVISORY
- securitylab.github.com/advisories/GHSL-2023-154_GHSL-2023-156_memosghsaADVISORY
- github.com/usememos/memos/blob/06dbd8731161245444f4b50f4f9ed267f7c3cf63/api/v1/http_getter.goghsax_refsource_MISCWEB
- github.com/usememos/memos/commit/bbd206e8930281eb040cc8c549641455892b9eb5ghsax_refsource_MISCWEB
- securitylab.github.com/advisories/GHSL-2023-154_GHSL-2023-156_memos/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.