CVE-2024-29030
Published: 19 April 2024
Summary
CVE-2024-29030 is a medium-severity SSRF (CWE-918) vulnerability in Usememos Memos. Its CVSS base score is 5.8 (Medium).
Operationally, ranked in the top 10.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-29030 is a server-side request forgery vulnerability in the memos note-taking service, specifically present in version 0.13.2 at the /api/resource endpoint. The flaw, tracked under CWE-918, permits requests that can reach and probe internal network resources. The affected component is the resource handling logic in the memos API, which was later addressed by removing the vulnerable file in version 0.22.0.
Authenticated users can exploit the issue over the network with low attack complexity to perform internal network enumeration, resulting in limited confidentiality impact on systems behind the application. The CVSS 5.8 score reflects the server-scoped consequences without requiring user interaction.
Public references, including the GitHub Security Lab advisory GHSL-2023-154 and the memos repository commit bbd206e, confirm that upgrading to version 0.22.0 eliminates the vulnerable code path. The patch removes the affected resource.go implementation that previously accepted unvalidated remote requests.
EPSS scores remained low overall, with a peak of 0.0676 that has since receded to 0.0461, indicating no sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2509
Vulnerability details
memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /api/resource that allows authenticated users to enumerate the internal network. Version 0.22.0 of memos removes the vulnerable file.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.