Miggo Logo
Miggo Vulnerability Database
CVE-2022-4805

CVE-2022-4805: usememos/memos Incorrect Use of Privileged APIs vulnerability

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-4805
GHSA ID
GHSA-mq5q-gpgv-pwxw
EPSS Score
0.15132%
CWE
CWE-648
Published
12/28/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/usememos/memosgo<= 0.9.00.9.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing ownership checks in API endpoints handling privileged operations. The commit added critical CreatorID validation steps that were previously absent. Key indicators are: 1) Removal of CreatorID from query filters and replacement with post-fetch ownership checks 2) Structural changes to API request bindings (json:"-" annotations) preventing client manipulation 3) Added authorization blocks checking memo.CreatorID == userID before operations. The affected functions handled memo/shortcut/resource modification/deletion endpoints that previously relied on flawed query-based 'implicit' authorization rather than explicit post-fetch ownership verification.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In us*m*mos/m*mos *.*.* *n* prior, * us*r **n *r**iv* *ny priv*t* m*mos, **l*t* *ny s*ort*ut, *n* **it *ny s*ort*ut *rom ot**r us*rs vi* *PI.

Reasoning

T** vuln*r**ility st*mm** *rom missin* own*rs*ip ****ks in *PI *n*points **n*lin* privil**** op*r*tions. T** *ommit ***** *riti**l `*r**torI*` v*li**tion st*ps t**t w*r* pr*viously **s*nt. K*y in*i**tors *r*: *) R*mov*l o* `*r**torI*` *rom qu*ry *ilt