Miggo Logo
Miggo Vulnerability Database
CVE-2022-4797

CVE-2022-4797:
usememos/memos vulnerable Improper Restriction of Excessive Authentication Attempts

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-4797
GHSA ID
GHSA-qrrf-xvcf-p64q
EPSS Score
0.42676%
CWE
CWE-307
Published
12/28/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/usememos/memosgo<= 0.9.00.9.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from insufficient access control in deletion endpoints. The patch added explicit creator ID checks (memo.CreatorID != userID) after fetching resources, indicating previous versions only relied on flawed filtered finds. The diff shows:- Original code used MemoFind{CreatorID: &userID} but didn't verify actual ownership- Post-patch added explicit memo.CreatorID comparison- Similar pattern exists in resource deletion endpointThis demonstrates missing authorization checks in the deletion handlers that allowed ID brute-forcing attacks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In us*m*mos/m*mos *.*.* *n* prior, *n *tt**k*r **n **l*t* ot**r us*rs' posts vi* post i*, w*i** **n ** *on* vi* *rut* *or**.

Reasoning

T** vuln*r**ility st*mm** *rom insu**i*i*nt ****ss *ontrol in **l*tion *n*points. T** p*t** ***** *xpli*it *r**tor I* ****ks (m*mo.*r**torI* != us*rI*) **t*r **t**in* r*sour**s, in*i**tin* pr*vious v*rsions only r*li** on *l*w** *ilt*r** *in*s. T** *