Skip to content

PocketBase performs password auth and OAuth2 unverified email linking

Moderate severity GitHub Reviewed Published Jun 18, 2024 in pocketbase/pocketbase • Updated Jul 5, 2024

Package

gomod github.com/pocketbase/pocketbase (Go)

Affected versions

< 0.22.14

Patched versions

0.22.14

Description

In order to be exploited you must have both OAuth2 and Password auth methods enabled.

A possible attack scenario could be:

  • a malicious actor register with the targeted user's email (it is unverified)
  • at some later point in time the targeted user stumble on your app and decides to sign-up with OAuth2 (this step could be also initiated by the attacker by sending an invite email to the targeted user)
  • on successful OAuth2 auth we search for an existing PocketBase user matching with the OAuth2 user's email and associate them
  • because we haven't changed the password of the existing PocketBase user during the linking, the malicious actor has access to the targeted user account and will be able to login with the initially created email/password

To prevent this for happening we now reset the password for this specific case if the previously created user wasn't verified (an exception to this is if the linking is explicit/manual, aka. when you send Authorization:TOKEN with the OAuth2 auth call).

Additionally to warn existing users we now send an email alert in case the user has logged in with password but has at least one OAuth2 account linked. It looks something like:

Hello,
Just to let you know that someone has logged in to your Acme account using a password while you already have OAuth2 GitLab auth linked.
If you have recently signed in with a password, you may disregard this email.
If you don't recognize the above action, you should immediately change your Acme account password.
Thanks,
Acme team

The flow will be further improved with the ongoing refactoring and we will start sending emails for "unrecognized device" logins (OTP and MFA is already implemented and will be available with the next v0.23.0 release in the near future).

References

@ganigeorgiev ganigeorgiev published to pocketbase/pocketbase Jun 18, 2024
Published by the National Vulnerability Database Jun 18, 2024
Published to the GitHub Advisory Database Jun 18, 2024
Reviewed Jun 18, 2024
Last updated Jul 5, 2024

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

EPSS score

0.043%
(10th percentile)

Weaknesses

CVE ID

CVE-2024-38351

GHSA ID

GHSA-m93w-4fxv-r35v

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.