GHSA-M93W-4FXV-R35V
Vulnerability from github – Published: 2024-06-18 20:29 – Updated: 2024-07-05 21:42In order to be exploited you must have both OAuth2 and Password auth methods enabled.
A possible attack scenario could be: - a malicious actor register with the targeted user's email (it is unverified) - at some later point in time the targeted user stumble on your app and decides to sign-up with OAuth2 (this step could be also initiated by the attacker by sending an invite email to the targeted user) - on successful OAuth2 auth we search for an existing PocketBase user matching with the OAuth2 user's email and associate them - because we haven't changed the password of the existing PocketBase user during the linking, the malicious actor has access to the targeted user account and will be able to login with the initially created email/password
To prevent this for happening we now reset the password for this specific case if the previously created user wasn't verified (an exception to this is if the linking is explicit/manual, aka. when you send Authorization:TOKEN with the OAuth2 auth call).
Additionally to warn existing users we now send an email alert in case the user has logged in with password but has at least one OAuth2 account linked. It looks something like:
Hello, Just to let you know that someone has logged in to your Acme account using a password while you already have OAuth2 GitLab auth linked. If you have recently signed in with a password, you may disregard this email. If you don't recognize the above action, you should immediately change your Acme account password. Thanks, Acme team
The flow will be further improved with the ongoing refactoring and we will start sending emails for "unrecognized device" logins (OTP and MFA is already implemented and will be available with the next v0.23.0 release in the near future).
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/pocketbase/pocketbase"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.22.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-38351"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-18T20:29:33Z",
"nvd_published_at": "2024-06-18T17:15:52Z",
"severity": "MODERATE"
},
"details": "**In order to be exploited you must have both OAuth2 and Password auth methods enabled.**\n\nA possible attack scenario could be:\n- a malicious actor register with the targeted user\u0027s email (it is unverified)\n- at some later point in time the targeted user stumble on your app and decides to sign-up with OAuth2 (_this step could be also initiated by the attacker by sending an invite email to the targeted user_) \n- on successful OAuth2 auth we search for an existing PocketBase user matching with the OAuth2 user\u0027s email and associate them\n- because we haven\u0027t changed the password of the existing PocketBase user during the linking, the malicious actor has access to the targeted user account and will be able to login with the initially created email/password\n\nTo prevent this for happening we now reset the password for this specific case if the previously created user wasn\u0027t verified (an exception to this is if the linking is explicit/manual, aka. when you send `Authorization:TOKEN` with the OAuth2 auth call).\n\nAdditionally to warn existing users we now send an email alert in case the user has logged in with password but has at least one OAuth2 account linked. It looks something like:\n\n_Hello,\nJust to let you know that someone has logged in to your Acme account using a password while you already have OAuth2 GitLab auth linked.\nIf you have recently signed in with a password, you may disregard this email.\n**If you don\u0027t recognize the above action, you should immediately change your Acme account password.**\nThanks,\nAcme team_\n\nThe flow will be further improved with the [ongoing refactoring](https://github.com/pocketbase/pocketbase/discussions/4355) and we will start sending emails for \"unrecognized device\" logins (OTP and MFA is already implemented and will be available with the next v0.23.0 release in the near future).\n\n",
"id": "GHSA-m93w-4fxv-r35v",
"modified": "2024-07-05T21:42:20Z",
"published": "2024-06-18T20:29:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pocketbase/pocketbase/security/advisories/GHSA-m93w-4fxv-r35v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38351"
},
{
"type": "WEB",
"url": "https://github.com/pocketbase/pocketbase/commit/58ace5d5e7b9b979490019cf8d1b88491e5daec5"
},
{
"type": "PACKAGE",
"url": "https://github.com/pocketbase/pocketbase"
},
{
"type": "WEB",
"url": "https://github.com/pocketbase/pocketbase/discussions/4355"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "PocketBase performs password auth and OAuth2 unverified email linking"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.