CVE-2024-41659: 
NixOS vulnerability analysis and mitigation

A CORS misconfiguration vulnerability (CVE-2024-41659) was discovered in memos version 0.20.1 and earlier. The vulnerability exists where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true, affecting the privacy-first, lightweight note-taking service. This vulnerability was discovered on March 21, 2024, and was fixed in version 0.21.0 (GitHub Advisory).

The vulnerability stems from a CORS middleware implementation in server.go that reflects the Origin request header in the Access-Control-Allow-Origin response header while simultaneously setting Access-Control-Allow-Credentials to true for all non-GRPC requests. This misconfiguration leaves the v1 API vulnerable to cross-origin attacks. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N (NVD).

The vulnerability allows an attacking website to make cross-origin requests, enabling attackers to read private information or make privileged changes to the system as the vulnerable user account. If the CORS attack is executed on the host user, an attacker can compromise any account by changing the account's password and gaining unauthorized access (GitHub Advisory).

The vulnerability has been fixed in memos version 0.21.0. The fix involves adding an origin flag to configure CORS settings properly, allowing administrators to specify allowed origins explicitly. Users are strongly recommended to upgrade to version 0.21.0 or later (GitHub Commit).