Elestio Memos Server-Side Request Forgery Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability has been identified in Elestio Memos version 0.23.0. This vulnerability arises from inadequate validation of user-supplied URLs, allowing attackers to access internal network resources and protocols. Despite restrictions on access protocols to HTTP and HTTPS, exploitation is possible by targeting other ports on localhost. The flaw enables attackers to probe internal web services, scan hosts, and potentially interact with vulnerable endpoints on the internal network.

Impact

Exploitation of this vulnerability allows access to intranet IP addresses and protocols, enabling attackers to interact with internal network assets, sniff web services, scan hosts, and potentially access weak internal endpoints.

Reproduction

The vulnerability can be reproduced by deploying the affected version of Memos using Docker. After starting the application, an SSRF attack can be executed by sending a request to the 'GetLinkMetadata' API with a URL pointing to an internal resource. This can be done by using 'grpcurl' to make a gRPC request that includes a link to a service running on the internal network, such as an FTP server or a web service on a specific port.

Remediation

Users can update to the latest version of Elestio Memos, which includes a fix for this vulnerability. Instructions for updating can be found in the Memos documentation.