CVE-2024-29028

2024-04-1915:15:50

CWE-918

GitHub_M

web.nvd.nist.gov

ssrf

vulnerability

memos

unauthenticated

enumerate

internal network

fixed

0.13.2

0.16.1

CVSS3

5.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

AI Score

5.5

Confidence

High

EPSS

Percentile

9.0%

JSON

memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/httpmeta that allows unauthenticated users to enumerate the internal network and receive limited html values in json form. This vulnerability is fixed in 0.16.1.

Affected configurations

Vulners

Vulnrichment

Node

usememosmemosRange<0.16.1

VendorProductVersionCPE
usememosmemos*cpe:2.3:a:usememos:memos:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
usememos	memos	*	cpe:2.3:a:usememos:memos::::::::

CNA Affected

[
  {
    "vendor": "usememos",
    "product": "memos",
    "versions": [
      {
        "version": "< 0.16.1",
        "status": "affected"
      }
    ]
  }
]