CVE-2024-41659: memos CORS Misconfiguration in server.go (GHSL-2024-034)

August 22, 2024

memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker to read private information or make privileged changes to the system as the vulnerable user account.

References

github.com/advisories/GHSA-p4fx-qf2h-jpmj
github.com/usememos/memos
github.com/usememos/memos/blob/v0.20.1/server/server.go
github.com/usememos/memos/commit/8101a5e0b162044c16385bee4f12a4a653d050b9
nvd.nist.gov/vuln/detail/CVE-2024-41659
securitylab.github.com/advisories/GHSL-2024-034_memos

Detect and mitigate CVE-2024-41659 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →