CVE-2024-41659 (GCVE-0-2024-41659)
Vulnerability from cvelistv5
Published
2024-08-20 19:54
Modified
2025-01-09 19:15
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE
  • CWE-942 - Permissive Cross-domain Policy with Untrusted Domains
Summary
memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker to read private information or make privileged changes to the system as the vulnerable user account. This vulnerability is fixed in 0.21.0.
References
Impacted products
Vendor Product Version
usememos memos Version: < 0.21.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:usememos:memos:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "memos",
            "vendor": "usememos",
            "versions": [
              {
                "lessThanOrEqual": "0.20.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-41659",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-21T13:24:07.900591Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-09T19:15:30.589Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "memos",
          "vendor": "usememos",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.21.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker to read private information or make privileged changes to the system as the vulnerable user account. This vulnerability is fixed in 0.21.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-942",
              "description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-22T15:27:22.743Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://securitylab.github.com/advisories/GHSL-2024-034_memos/",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://securitylab.github.com/advisories/GHSL-2024-034_memos/"
        },
        {
          "name": "https://github.com/usememos/memos/commit/8101a5e0b162044c16385bee4f12a4a653d050b9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/usememos/memos/commit/8101a5e0b162044c16385bee4f12a4a653d050b9"
        },
        {
          "name": "https://github.com/usememos/memos/blob/v0.20.1/server/server.go#L163",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/usememos/memos/blob/v0.20.1/server/server.go#L163"
        }
      ],
      "source": {
        "advisory": "GHSA-p4fx-qf2h-jpmj",
        "discovery": "UNKNOWN"
      },
      "title": "GHSL-2024-034: memos CORS Misconfiguration in server.go"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-41659",
    "datePublished": "2024-08-20T19:54:08.182Z",
    "dateReserved": "2024-07-18T15:21:47.482Z",
    "dateUpdated": "2025-01-09T19:15:30.589Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-41659\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-08-20T20:15:08.207\",\"lastModified\":\"2025-07-10T15:36:42.900\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker to read private information or make privileged changes to the system as the vulnerable user account. This vulnerability is fixed in 0.21.0.\"},{\"lang\":\"es\",\"value\":\"Memos es un servicio de toma de notas liviano y que prioriza la privacidad. Existe una configuraci\u00f3n incorrecta de CORS en memos 0.20.1 y versiones anteriores donde se refleja un origen arbitrario con Access-Control-Allow-Credentials establecido en verdadero. Esto puede permitir que un sitio web atacante realice una solicitud de origen cruzado, lo que le permite leer informaci\u00f3n privada o realizar cambios privilegiados en el sistema como cuenta de usuario vulnerable.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-942\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:usememos:memos:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.21.0\",\"matchCriteriaId\":\"6FC82338-D783-4959-B9C2-D1CE061F4E83\"}]}]}],\"references\":[{\"url\":\"https://github.com/usememos/memos/blob/v0.20.1/server/server.go#L163\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/usememos/memos/commit/8101a5e0b162044c16385bee4f12a4a653d050b9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://securitylab.github.com/advisories/GHSL-2024-034_memos/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"GHSL-2024-034: memos CORS Misconfiguration in server.go\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-942\", \"lang\": \"en\", \"description\": \"CWE-942: Permissive Cross-domain Policy with Untrusted Domains\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://securitylab.github.com/advisories/GHSL-2024-034_memos/\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://securitylab.github.com/advisories/GHSL-2024-034_memos/\"}, {\"name\": \"https://github.com/usememos/memos/commit/8101a5e0b162044c16385bee4f12a4a653d050b9\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/usememos/memos/commit/8101a5e0b162044c16385bee4f12a4a653d050b9\"}, {\"name\": \"https://github.com/usememos/memos/blob/v0.20.1/server/server.go#L163\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/usememos/memos/blob/v0.20.1/server/server.go#L163\"}], \"affected\": [{\"vendor\": \"usememos\", \"product\": \"memos\", \"versions\": [{\"version\": \"\u003c 0.21.0\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-08-22T15:27:22.743Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker to read private information or make privileged changes to the system as the vulnerable user account. This vulnerability is fixed in 0.21.0.\"}], \"source\": {\"advisory\": \"GHSA-p4fx-qf2h-jpmj\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-41659\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-21T13:24:07.900591Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:usememos:memos:-:*:*:*:*:*:*:*\"], \"vendor\": \"usememos\", \"product\": \"memos\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"0.20.1\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-21T13:25:28.790Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-41659\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2024-07-18T15:21:47.482Z\", \"datePublished\": \"2024-08-20T19:54:08.182Z\", \"dateUpdated\": \"2025-01-09T19:15:30.589Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.