memos vulnerable to an SSRF in /o/get/httpmeta
CVE-2024-29028

5.8MEDIUM

Key Information:

Vendor: Usememos
Status: Memos
Vendor: CVE Published:; 19 April 2024

Summary

memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/httpmeta that allows unauthenticated users to enumerate the internal network and receive limited html values in json form. This vulnerability is fixed in 0.16.1.

Affected Version(s)

memos < 0.16.1

References

https://github.com/usememos/memos/commit/6ffc09d86a1302c3...

x_refsource_CONFIRM

https://securitylab.github.com/advisories/GHSL-2023-154_G...

x_refsource_MISC

CVSS V3.1

Score:

5.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Apr 19, 2024