CVE-2024-38351

{"id": "CVE-2024-38351", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2024-06-18T17:15:52.777", "references": [{"url": "https://github.com/pocketbase/pocketbase/discussions/4355", "source": "security-advisories@github.com"}, {"url": "https://github.com/pocketbase/pocketbase/security/advisories/GHSA-m93w-4fxv-r35v", "source": "security-advisories@github.com"}, {"url": "https://github.com/pocketbase/pocketbase/discussions/4355", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/pocketbase/pocketbase/security/advisories/GHSA-m93w-4fxv-r35v", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "Pocketbase is an open source web backend written in go. In affected versions a malicious user may be able to compromise other user accounts. In order to be exploited users must have both OAuth2 and Password auth methods enabled. A possible attack scenario could be: 1. a malicious actor register with the targeted user's email (it is unverified), 2. at some later point in time the targeted user stumble on your app and decides to sign-up with OAuth2 (_this step could be also initiated by the attacker by sending an invite email to the targeted user_), 3. on successful OAuth2 auth we search for an existing PocketBase user matching with the OAuth2 user's email and associate them, 4. because we haven't changed the password of the existing PocketBase user during the linking, the malicious actor has access to the targeted user account and will be able to login with the initially created email/password. To prevent this for happening we now reset the password for this specific case if the previously created user wasn't verified (an exception to this is if the linking is explicit/manual, aka. when you send `Authorization:TOKEN` with the OAuth2 auth call). Additionally to warn existing users we now send an email alert in case the user has logged in with password but has at least one OAuth2 account linked. The flow will be further improved with ongoing refactoring and we will start sending emails for \"unrecognized device\" logins (OTP and MFA is already implemented and will be available with the next v0.23.0 release in the near future). For the time being users are advised to update to version 0.22.14. There are no known workarounds for this vulnerability.\n\n"}, {"lang": "es", "value": "Pocketbase es un backend web de c\u00f3digo abierto escrito en go. En las versiones afectadas, un usuario malintencionado puede comprometer las cuentas de otros usuarios. Para ser explotados, los usuarios deben tener habilitados los m\u00e9todos de autenticaci\u00f3n OAuth2 y Contrase\u00f1a. Un posible escenario de ataque podr\u00eda ser: 1. un actor malintencionado se registra con el correo electr\u00f3nico del usuario objetivo (no est\u00e1 verificado), 2. en alg\u00fan momento posterior, el usuario objetivo tropieza con su aplicaci\u00f3n y decide registrarse con OAuth2 (_este paso El atacante tambi\u00e9n podr\u00eda iniciarlo enviando un correo electr\u00f3nico de invitaci\u00f3n al usuario objetivo_), 3. en una autenticaci\u00f3n OAuth2 exitosa, buscamos un usuario de PocketBase existente que coincida con el correo electr\u00f3nico del usuario OAuth2 y lo asociamos, 4. porque no hemos cambiado el contrase\u00f1a del usuario de PocketBase existente durante la vinculaci\u00f3n, el actor malicioso tiene acceso a la cuenta de usuario objetivo y podr\u00e1 iniciar sesi\u00f3n con el correo electr\u00f3nico/contrase\u00f1a creado inicialmente. Para evitar que esto suceda, ahora restablecemos la contrase\u00f1a para este caso espec\u00edfico si el usuario creado anteriormente no fue verificado (una excepci\u00f3n a esto es si el enlace es expl\u00edcito/manual, tambi\u00e9n conocido como cuando env\u00eda `Autorizaci\u00f3n:TOKEN` con OAuth2 llamada de autenticaci\u00f3n). Adem\u00e1s, para advertir a los usuarios existentes, ahora enviamos una alerta por correo electr\u00f3nico en caso de que el usuario haya iniciado sesi\u00f3n con contrase\u00f1a pero tenga al menos una cuenta OAuth2 vinculada. El flujo se mejorar\u00e1 a\u00fan m\u00e1s con la refactorizaci\u00f3n continua y comenzaremos a enviar correos electr\u00f3nicos para inicios de sesi\u00f3n de \"dispositivos no reconocidos\" (OTP y MFA ya est\u00e1n implementados y estar\u00e1n disponibles con la pr\u00f3xima versi\u00f3n v0.23.0 en un futuro pr\u00f3ximo). Por el momento, se recomienda a los usuarios que actualicen a la versi\u00f3n 0.22.14. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2024-11-21T09:25:25.250", "sourceIdentifier": "security-advisories@github.com"}