Date Published: June 2024
Category: Security
CVE reference: CVE-2023-4696
Affected software: usememos/memos (versions before .13.2)
Introduction
A recent security vulnerability—CVE-2023-4696—was discovered in the widely used open-source memo application, Memos. This long-read post will break down what this vulnerability is, how it works, and what you should do about it—in plain, simple language.
What is CVE-2023-4696?
CVE-2023-4696 is a software vulnerability in the *Memos* repository. Specifically, its problem is improper access control: users can read or modify content they shouldn’t have access to in certain situations, due to flawed authentication and authorization logic in the application's API or backend.
In security language:
> An improper access control issue in Memos prior to .13.2 allows unauthorized users to perform actions or view content that should be restricted.
Who Is Affected?
- Anyone running usememos/memos prior to version .13.2.
Especially dangerous on public-facing servers or where untrusted users may access the system.
If you're using a version *before v.13.2*, you're at risk.
How Bad Is This?
Serious.
Technical Details — How Does the Vulnerability Work?
In versions before .13.2, the backend API endpoints did not enforce ownership checks for certain actions. For example, an endpoint that should require authentication and confirm the user belongs to a resource (like a memo or a workspace) might simply skip that check, letting anyone fetch or change data by simply guessing or knowing the resource ID.
Example Scenario
Imagine a memo-sharing app where each note (memo) is supposed to be accessible only to its creator. However, due to this flaw, you could send a GET request to /api/memo/12345 with any valid session (or sometimes no authentication at all) and retrieve someone else's private memo.
The main issue is: resource IDs could be guessed and access was not checked correctly.
Here is a simplified, illustrative version of the issue
// (This is illustrative pseudo Go code, not the exact real source.)
// Vulnerable handler for getting a memo
func getMemoHandler(c *Context) {
memoID := c.Param("id")
memo, err := store.GetMemoByID(memoID)
if err != nil {
c.JSON(404, "Not found")
return
}
// MISSING: ownership check!
c.JSON(200, memo)
}
A secure handler should look like
func getMemoHandler(c *Context) {
memoID := c.Param("id")
userID := c.User().ID // get authenticated user!
memo, err := store.GetMemoByID(memoID)
if err != nil || memo.OwnerID != userID {
c.JSON(403, "Forbidden")
return
}
c.JSON(200, memo)
}
In short: The first example gives up the memo data to anyone who knows the ID. The fixed example *checks if the memo belongs to the current user*.
Steps To Exploit (Proof of Concept)
*This example is for educational purposes only. Do not use to attack real systems.*
`bash
curl https://memos.example.com/api/memo/2
or with an authentication header, if required
curl -H "Authorization: Bearer" https://memos.example.com/api/memo/2
If the server responds with the content, access control is broken.
In more advanced cases, you could try to modify or delete someone else’s memo using similar weakly protected endpoints, with PATCH or DELETE verbs.
Original Advisory:
GitHub Security Advisory GHSA-7g3x-rqxr-2899
Fix Commit:
CVE Record:
Example if running docker
docker pull neosmemo/memos:latest # or use a specific tag >= .13.2
Check your access logs
Look for suspicious requests to /api/memo/* or similar endpoints.
Conclusion
CVE-2023-4696 is a classic but critical mistake: not checking if a user is allowed to do something before showing them data. If you run Memos, make sure you’re on version .13.2 or later. Keep your software up-to-date and always double-check your access controls—because sometimes, the simplest bugs cause the biggest problems.
Stay safe, keep your notes private, and update your apps!
*For developers: Always test your endpoints as different users, and enforce those ownership checks everywhere—don’t assume the frontend will do it for you.*
---
Timeline
Published on: 09/01/2023 01:15:00 UTC
Last modified on: 09/01/2023 13:06:00 UTC