Lucene search

Veracode Vulnerability DatabaseVERACODE:46605

HistoryApr 24, 2024 - 10:03 a.m.

Server-Side Request Forgery (SSRF)

2024-04-2410:03:25

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

server-side request forgery

ssrf

vulnerability

endpoint

user input

crafted requests

internal network

CVSS3

5.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

26.4%

JSON

github.com/usememos/memos is vulnerable to Server-Side Request Forgery (SSRF). The vulnerability is due to improper validation of user input at the /api/resource endpoint, allowing authenticated users to send crafted requests and perform Server-Side Request Forgery (SSRF) to enumerate the internal network.

References

github.com/usememos/memos/blob/06dbd8731161245444f4b50f4f9ed267f7c3cf63/api/v1/resource.go#L83

github.com/usememos/memos/commit/31997936d64b5e4ff261214dfca384c70c4c3caa

github.com/usememos/memos/commit/bbd206e8930281eb040cc8c549641455892b9eb5

securitylab.github.com/advisories/GHSL-2023-154_GHSL-2023-156_memos/

CVSS3

5.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

26.4%

JSON

Related for VERACODE:46605