x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-j2gj-g3p9-7mrr #2038

GoVulnBot · 2023-09-01T22:01:31Z

In GitHub Security Advisory GHSA-j2gj-g3p9-7mrr, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/usememos/memos	0.13.2	< 0.13.2

Cross references:

Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-rgj5-jj5q-v3v7 #1173 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-c8jh-vcjh-fx2w #1189 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-vwg4-846x-f94v #1190 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-w57v-6xp4-rm2v #1191 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qcw2-492v-57xj #1192 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-9v48-2h5x-fvpm #1205 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-68gw-r2x5-7r5r #1215 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-f552-97qx-c694 #1216 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-fv6c-rfg3-gvjw #1217 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qr52-59r6-49f4 #1218 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-33m8-f4hw-wm3q #1219 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-j593-h5v3-45x6 #1220 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-97rc-mm5j-f6rj #1225 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-c2v4-8r9g-g5xj #1226 NOT_GO_CODE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-v92p-phmp-xffr #1228 NOT_GO_CODE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-f83p-pg86-p922 #1235 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-ghx2-6v4g-9wmm #1236 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-jvq8-w7qv-hqp6 #1239 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-mfvq-m3jj-8864 #1240 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qcf5-m2c6-89f2 #1243 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qrrf-xvcf-p64q #1244 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qw36-rw5q-gxcq #1245 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-rx2m-xr4x-54hh #1248 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-642q-2q68-9j3p #1250 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-6fx9-29x2-fmfj #1251 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-6w5w-wx8w-2cq9 #1252 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-7qpw-2j9m-rw8c #1253 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-c5hq-35h7-r9x4 #1254 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-cwrm-33qq-4w2x #1255 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-gfj4-wg89-m22r #1256 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-gw9m-2m5v-c6x5 #1257 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-gxqf-4g4p-q3hc #1258 NOT_GO_CODE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-hc5q-26h8-r9wf #1259 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-m5pr-wm6q-x4g2 #1260 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-pp3p-6jjh-rmg7 #1261 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-pwhr-p68w-296x #1262 NOT_GO_CODE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qf9q-3wwx-8qjv #1263 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-r7hg-2cpp-8wqq #1264 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-rmhx-9h5h-3xh3 #1265 NOT_GO_CODE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-vh43-cc6x-prpr #1266 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-6whj-8g9g-5jvx #1270 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-8w5q-5fpq-v4pm #1271 NOT_GO_CODE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-x9p9-v3x6-68mq #1272 NOT_GO_CODE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-42q2-m54f-jh95 #1285 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-5jqp-wmhj-g33f #1286 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-mfmp-8mqg-q4wm #1291 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-mq5q-gpgv-pwxw #1292 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-r3p3-5f35-h6mf #1449 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-8686-4cr3-76wj #1460 NOT_GO_CODE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-9h7x-9pmh-7gg8 #1461 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-fpjc-cxr6-w6h8 #1462 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-h2ph-9r76-37v5 #1465 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-pcvh-px2p-vmxw #1467 NOT_GO_CODE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-x22v-qgm2-7qc7 #1469 EFFECTIVELY_PRIVATE
Module github.com/usememos/memos appears in issue x/vulndb: potential Go vuln in github.com/usememos/memos/server: CVE-2022-25978 #1566

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/usememos/memos
      versions:
        - fixed: 0.13.2
      vulnerable_at: 0.13.1
      packages:
        - package: github.com/usememos/memos
summary: Account TakeOver Due to Improper Handling of JWT Tokens in usememos/memos
description: |-
    Improper Access Control in GitHub repository usememos/memos prior to 0.13.2. As
    of commit `c9aa2eeb9` access tokens which fail validation are rejected.
cves:
    - CVE-2023-4696
ghsas:
    - GHSA-j2gj-g3p9-7mrr
references:
    - web: https://nvd.nist.gov/vuln/detail/CVE-2023-4696
    - fix: https://github.com/usememos/memos/commit/c9aa2eeb9852047e4f41915eb30726bd25f07ecd
    - web: https://huntr.dev/bounties/4747a485-77c3-4bb5-aab0-21253ef303ca
    - advisory: https://github.com/advisories/GHSA-j2gj-g3p9-7mrr

The text was updated successfully, but these errors were encountered:

gopherbot · 2023-09-09T17:29:29Z

Change https://go.dev/cl/527176 mentions this issue: data/excluded: batch add 14 excluded reports

gopherbot · 2024-06-14T17:51:29Z

Change https://go.dev/cl/592762 mentions this issue: data/reports: unexclude 75 reports

gopherbot · 2024-08-20T16:54:40Z

Change https://go.dev/cl/606790 mentions this issue: data/reports: unexclude 20 reports (10)

- data/reports/GO-2023-1997.yaml - data/reports/GO-2023-1999.yaml - data/reports/GO-2023-2001.yaml - data/reports/GO-2023-2004.yaml - data/reports/GO-2023-2005.yaml - data/reports/GO-2023-2006.yaml - data/reports/GO-2023-2011.yaml - data/reports/GO-2023-2012.yaml - data/reports/GO-2023-2014.yaml - data/reports/GO-2023-2018.yaml - data/reports/GO-2023-2020.yaml - data/reports/GO-2023-2022.yaml - data/reports/GO-2023-2023.yaml - data/reports/GO-2023-2025.yaml - data/reports/GO-2023-2026.yaml - data/reports/GO-2023-2028.yaml - data/reports/GO-2023-2036.yaml - data/reports/GO-2023-2038.yaml - data/reports/GO-2023-2049.yaml - data/reports/GO-2023-2050.yaml Updates #1997 Updates #1999 Updates #2001 Updates #2004 Updates #2005 Updates #2006 Updates #2011 Updates #2012 Updates #2014 Updates #2018 Updates #2020 Updates #2022 Updates #2023 Updates #2025 Updates #2026 Updates #2028 Updates #2036 Updates #2038 Updates #2049 Updates #2050 Change-Id: Iac9a2efe688e28fa0889e8a14e9b4fea7677a197 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606790 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com>

timothy-king self-assigned this Sep 8, 2023

timothy-king added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Sep 8, 2023

gopherbot closed this as completed in 74276ae Sep 11, 2023

GoVulnBot mentioned this issue Sep 18, 2023

x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-2g7r-9xq5-c6hv #2065

Closed

This was referenced Aug 1, 2024

github.com/usememos/memos: CVE-2024-29029 tatianab/scratch#25

Open

github.com/usememos/memos: CVE-2024-29030 tatianab/scratch#26

Open

GoVulnBot mentioned this issue Aug 22, 2024

x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-p4fx-qf2h-jpmj #3088

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-j2gj-g3p9-7mrr #2038

x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-j2gj-g3p9-7mrr #2038

GoVulnBot commented Sep 1, 2023

gopherbot commented Sep 9, 2023

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024

x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-j2gj-g3p9-7mrr #2038

x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-j2gj-g3p9-7mrr #2038

Comments

GoVulnBot commented Sep 1, 2023

gopherbot commented Sep 9, 2023

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024