Miggo Logo
Miggo Vulnerability Database
CVE-2022-4803

CVE-2022-4803: usememos/memos Improper Access Control vulnerability

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-4803
GHSA ID
GHSA-mfmp-8mqg-q4wm
EPSS Score
0.20711%
CWE
CWE-284
Published
12/28/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/usememos/memosgo<= 0.9.00.9.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing authorization checks in CRUD operations where: 1) User-controlled IDs were accepted without verifying resource ownership 2) CreatorID fields in structs were user-controllable via JSON (evidenced by adding json:"-" in API structs) 3) The patch added explicit creatorID comparisons after fetching resources. The vulnerable functions handled core operations (update/delete) that accepted user-provided identifiers but lacked proper access control checks before acting on those resources.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

us*m*mos/m*mos *.*.* *n* prior is vuln*r**l* to Improp*r ****ss *ontrol.

Reasoning

T** vuln*r**ility st*mm** *rom missin* *ut*oriz*tion ****ks in *RU* op*r*tions w**r*: *) Us*r-*ontroll** I*s w*r* ****pt** wit*out v*ri*yin* r*sour** own*rs*ip *) *r**torI* *i*l*s in stru*ts w*r* us*r-*ontroll**l* vi* JSON (*vi**n*** *y ***in* `json: