GO-2024-2602

See a problem?
Please try reporting it to the source first.
Source
https://pkg.go.dev/vuln/GO-2024-2602
Import Source
https://vuln.go.dev/ID/GO-2024-2602.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2024-2602
Aliases
Published
2024-03-11T19:00:01Z
Modified
2024-05-20T16:03:47Z
Summary
Incorrect email domain verification in github.com/coder/coder
Details

A vulnerability in Coder's OIDC authentication could allow an attacker to bypass the CODEROIDCEMAILDOMAIN verification and create an account with an email not in the allowlist. Deployments are only affected if the OIDC provider allows users to create accounts on the provider (such as public providers like google.com). During OIDC registration, the user's email was improperly validated against the allowed CODEROIDCEMAILDOMAINs.

Database specific 
{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2024-2602"
}
References
Credits
    • arcz
    • maxammann

Affected packages

Go / github.com/coder/coder

Package

Name
github.com/coder/coder
View open source insights on deps.dev
Purl
pkg:golang/github.com/coder/coder

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Ecosystem specific 

{
    "imports": [
        {
            "path": "github.com/coder/coder/coderd",
            "symbols": [
                "API.New",
                "Api.userOIDC"
            ]
        }
    ]
}

Go / github.com/coder/coder/v2

Package

Name
github.com/coder/coder/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/coder/coder/v2

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.6.1
Introduced
2.7.0
Fixed
2.7.3
Introduced
2.8.0
Fixed
2.8.4

Ecosystem specific 

{
    "imports": [
        {
            "path": "github.com/coder/coder/v2/coderd",
            "symbols": [
                "Api.New",
                "Api.userOIDC"
            ]
        }
    ]
}