Miggo Logo
Miggo Vulnerability Database
CVE-2022-4767

CVE-2022-4767: usememos/memos Denial of Service vulnerability

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-4767
GHSA ID
GHSA-33m8-f4hw-wm3q
EPSS Score
0.20629%
CWE
CWE-400
Published
12/27/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/usememos/memosgo<= 0.9.00.9.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing input validation on user-controllable fields (username, password, nickname, email) in both user creation and update operations. The UserCreate.Validate function lacked maximum length checks, and the UserPatch struct had no validation method. The server's PATCH handler only checked email format, not other fields. Attackers could exploit this by sending large input values, leading to uncontrolled resource consumption (CWE-400). The patch added proper validation in UserCreate.Validate and introduced UserPatch.Validate, which the server now uses.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**ni*l o* S*rvi** in *it*u* r*pository us*m*mos/m*mos *.*.* *n* prior. * p*t** is *v*il**l* on t** `m*in` *r*n** *t *ommit num**r ****************************************.

Reasoning

T** vuln*r**ility st*ms *rom missin* input v*li**tion on us*r-*ontroll**l* *i*l*s (us*rn*m*, p*sswor*, ni*kn*m*, *m*il) in *ot* us*r *r**tion *n* up**t* op*r*tions. T** `Us*r*r**t*.V*li**t*` *un*tion l**k** m*ximum l*n*t* ****ks, *n* t** `Us*rP*t**`