vulndb/data/osv/GO-2024-2936.json

{
  "schema_version": "1.3.1",
  "id": "GO-2024-2936",
  "modified": "0001-01-01T00:00:00Z",
  "published": "0001-01-01T00:00:00Z",
  "aliases": [
    "CVE-2024-38351",
    "GHSA-m93w-4fxv-r35v"
  ],
  "summary": "PocketBase performs password auth and OAuth2 unverified email linking in github.com/pocketbase/pocketbase",
  "details": "PocketBase performs password auth and OAuth2 unverified email linking in github.com/pocketbase/pocketbase",
  "affected": [
    {
      "package": {
        "name": "github.com/pocketbase/pocketbase",
        "ecosystem": "Go"
      },
      "ranges": [
        {
          "type": "SEMVER",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.22.14"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "imports": [
          {
            "path": "github.com/pocketbase/pocketbase/apis",
            "symbols": [
              "EnrichRecord",
              "EnrichRecords",
              "RecordAuthResponse",
              "Serve",
              "recordAuthApi.authWithOAuth2",
              "recordAuthApi.authWithPassword"
            ]
          },
          {
            "path": "github.com/pocketbase/pocketbase/models",
            "symbols": [
              "NewRecordFromNullStringMap",
              "NewRecordsFromNullStringMaps",
              "Record.CleanCopy",
              "Record.ColumnValueMap",
              "Record.Email",
              "Record.EmailVisibility",
              "Record.FindFileFieldByFile",
              "Record.Get",
              "Record.GetBool",
              "Record.GetDateTime",
              "Record.GetFloat",
              "Record.GetInt",
              "Record.GetString",
              "Record.GetStringSlice",
              "Record.GetTime",
              "Record.LastResetSentAt",
              "Record.LastVerificationSentAt",
              "Record.Load",
              "Record.MarshalJSON",
              "Record.OriginalCopy",
              "Record.PasswordHash",
              "Record.PublicExport",
              "Record.RefreshTokenKey",
              "Record.ReplaceModifers",
              "Record.Set",
              "Record.SetEmail",
              "Record.SetEmailVisibility",
              "Record.SetLastResetSentAt",
              "Record.SetLastVerificationSentAt",
              "Record.SetPassword",
              "Record.SetTokenKey",
              "Record.SetUsername",
              "Record.SetVerified",
              "Record.TokenKey",
              "Record.UnknownData",
              "Record.UnmarshalJSON",
              "Record.UnmarshalJSONField",
              "Record.Username",
              "Record.ValidatePassword",
              "Record.Verified",
              "Record.getNormalizeDataValueForDB"
            ]
          },
          {
            "path": "github.com/pocketbase/pocketbase/models/schema",
            "symbols": [
              "AuthFieldNames"
            ]
          },
          {
            "path": "github.com/pocketbase/pocketbase/daos",
            "symbols": [
              "Dao.CanAccessRecord",
              "Dao.CreateViewSchema",
              "Dao.Delete",
              "Dao.DeleteAdmin",
              "Dao.DeleteCollection",
              "Dao.DeleteExternalAuth",
              "Dao.DeleteOldLogs",
              "Dao.DeleteParam",
              "Dao.DeleteRecord",
              "Dao.DeleteTable",
              "Dao.DeleteView",
              "Dao.ExpandRecord",
              "Dao.ExpandRecords",
              "Dao.FindAdminByEmail",
              "Dao.FindAdminById",
              "Dao.FindAdminByToken",
              "Dao.FindAllExternalAuthsByRecord",
              "Dao.FindAuthRecordByEmail",
              "Dao.FindAuthRecordByToken",
              "Dao.FindAuthRecordByUsername",
              "Dao.FindById",
              "Dao.FindCollectionByNameOrId",
              "Dao.FindCollectionReferences",
              "Dao.FindCollectionsByType",
              "Dao.FindExternalAuthByRecordAndProvider",
              "Dao.FindFirstExternalAuthByExpr",
              "Dao.FindFirstRecordByData",
              "Dao.FindFirstRecordByFilter",
              "Dao.FindLogById",
              "Dao.FindParamByKey",
              "Dao.FindRecordById",
              "Dao.FindRecordByViewFile",
              "Dao.FindRecordsByExpr",
              "Dao.FindRecordsByFilter",
              "Dao.FindRecordsByIds",
              "Dao.FindSettings",
              "Dao.HasTable",
              "Dao.ImportCollections",
              "Dao.IsAdminEmailUnique",
              "Dao.IsCollectionNameUnique",
              "Dao.IsRecordValueUnique",
              "Dao.LogsStats",
              "Dao.RecordQuery",
              "Dao.RunInTransaction",
              "Dao.Save",
              "Dao.SaveAdmin",
              "Dao.SaveCollection",
              "Dao.SaveExternalAuth",
              "Dao.SaveLog",
              "Dao.SaveParam",
              "Dao.SaveRecord",
              "Dao.SaveSettings",
              "Dao.SaveView",
              "Dao.SuggestUniqueAuthRecordUsername",
              "Dao.SyncRecordTableSchema",
              "Dao.TableColumns",
              "Dao.TableIndexes",
              "Dao.TableInfo",
              "Dao.TotalAdmins",
              "Dao.Vacuum"
            ]
          },
          {
            "path": "github.com/pocketbase/pocketbase/forms",
            "symbols": [
              "AdminLogin.Submit",
              "AdminLogin.Validate",
              "AdminPasswordResetConfirm.Submit",
              "AdminPasswordResetConfirm.Validate",
              "AdminPasswordResetRequest.Submit",
              "AdminPasswordResetRequest.Validate",
              "AdminUpsert.Submit",
              "AdminUpsert.Validate",
              "AppleClientSecretCreate.Submit",
              "AppleClientSecretCreate.Validate",
              "BackupCreate.Submit",
              "BackupCreate.Validate",
              "BackupUpload.Submit",
              "BackupUpload.Validate",
              "CollectionUpsert.Submit",
              "CollectionUpsert.Validate",
              "CollectionsImport.Submit",
              "CollectionsImport.Validate",
              "NewRecordUpsert",
              "RealtimeSubscribe.Validate",
              "RecordEmailChangeConfirm.Submit",
              "RecordEmailChangeConfirm.Validate",
              "RecordEmailChangeRequest.Submit",
              "RecordEmailChangeRequest.Validate",
              "RecordOAuth2Login.Submit",
              "RecordOAuth2Login.Validate",
              "RecordOAuth2Login.submit",
              "RecordPasswordLogin.Submit",
              "RecordPasswordLogin.Validate",
              "RecordPasswordResetConfirm.Submit",
              "RecordPasswordResetConfirm.Validate",
              "RecordPasswordResetRequest.Submit",
              "RecordPasswordResetRequest.Validate",
              "RecordUpsert.DrySubmit",
              "RecordUpsert.LoadData",
              "RecordUpsert.LoadRequest",
              "RecordUpsert.Submit",
              "RecordUpsert.Validate",
              "RecordUpsert.ValidateAndFill",
              "RecordVerificationConfirm.Submit",
              "RecordVerificationConfirm.Validate",
              "RecordVerificationRequest.Submit",
              "RecordVerificationRequest.Validate",
              "SettingsUpsert.Submit",
              "SettingsUpsert.Validate",
              "TestEmailSend.Submit",
              "TestEmailSend.Validate",
              "TestS3Filesystem.Submit",
              "TestS3Filesystem.Validate"
            ]
          }
        ]
      }
    }
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/pocketbase/pocketbase/security/advisories/GHSA-m93w-4fxv-r35v"
    },
    {
      "type": "FIX",
      "url": "https://github.com/pocketbase/pocketbase/commit/58ace5d5e7b9b979490019cf8d1b88491e5daec5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pocketbase/pocketbase/discussions/4355"
    }
  ],
  "database_specific": {
    "url": "https://pkg.go.dev/vuln/GO-2024-2936",
    "review_status": "REVIEWED"
  }
}
data/reports: add 5 reports - data/reports/GO-2024-2920.yaml - data/reports/GO-2024-2921.yaml - data/reports/GO-2024-2930.yaml - data/reports/GO-2024-2936.yaml - data/reports/GO-2024-2943.yaml Fixes golang/vulndb#2920 Fixes golang/vulndb#2921 Fixes golang/vulndb#2930 Fixes golang/vulndb#2936 Fixes golang/vulndb#2943 Change-Id: I6de64b6c40310fbc70839bdffd8665a4c639d7b3 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595957 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com> 2024-07-01 21:16:17 +03:00			`{`
			`"schema_version": "1.3.1",`
			`"id": "GO-2024-2936",`
			`"modified": "0001-01-01T00:00:00Z",`
			`"published": "0001-01-01T00:00:00Z",`
			`"aliases": [`
			`"CVE-2024-38351",`
			`"GHSA-m93w-4fxv-r35v"`
			`],`
			`"summary": "PocketBase performs password auth and OAuth2 unverified email linking in github.com/pocketbase/pocketbase",`
			`"details": "PocketBase performs password auth and OAuth2 unverified email linking in github.com/pocketbase/pocketbase",`
			`"affected": [`
			`{`
			`"package": {`
			`"name": "github.com/pocketbase/pocketbase",`
			`"ecosystem": "Go"`
			`},`
			`"ranges": [`
			`{`
			`"type": "SEMVER",`
			`"events": [`
			`{`
			`"introduced": "0"`
			`},`
			`{`
			`"fixed": "0.22.14"`
			`}`
			`]`
			`}`
			`],`
			`"ecosystem_specific": {`
			`"imports": [`
			`{`
			`"path": "github.com/pocketbase/pocketbase/apis",`
			`"symbols": [`
			`"EnrichRecord",`
			`"EnrichRecords",`
			`"RecordAuthResponse",`
			`"Serve",`
			`"recordAuthApi.authWithOAuth2",`
			`"recordAuthApi.authWithPassword"`
			`]`
			`},`
			`{`
			`"path": "github.com/pocketbase/pocketbase/models",`
			`"symbols": [`
			`"NewRecordFromNullStringMap",`
			`"NewRecordsFromNullStringMaps",`
			`"Record.CleanCopy",`
			`"Record.ColumnValueMap",`
			`"Record.Email",`
			`"Record.EmailVisibility",`
			`"Record.FindFileFieldByFile",`
			`"Record.Get",`
			`"Record.GetBool",`
			`"Record.GetDateTime",`
			`"Record.GetFloat",`
			`"Record.GetInt",`
			`"Record.GetString",`
			`"Record.GetStringSlice",`
			`"Record.GetTime",`
			`"Record.LastResetSentAt",`
			`"Record.LastVerificationSentAt",`
			`"Record.Load",`
			`"Record.MarshalJSON",`
			`"Record.OriginalCopy",`
			`"Record.PasswordHash",`
			`"Record.PublicExport",`
			`"Record.RefreshTokenKey",`
			`"Record.ReplaceModifers",`
			`"Record.Set",`
			`"Record.SetEmail",`
			`"Record.SetEmailVisibility",`
			`"Record.SetLastResetSentAt",`
			`"Record.SetLastVerificationSentAt",`
			`"Record.SetPassword",`
			`"Record.SetTokenKey",`
			`"Record.SetUsername",`
			`"Record.SetVerified",`
			`"Record.TokenKey",`
			`"Record.UnknownData",`
			`"Record.UnmarshalJSON",`
			`"Record.UnmarshalJSONField",`
			`"Record.Username",`
			`"Record.ValidatePassword",`
			`"Record.Verified",`
			`"Record.getNormalizeDataValueForDB"`
			`]`
			`},`
			`{`
			`"path": "github.com/pocketbase/pocketbase/models/schema",`
			`"symbols": [`
			`"AuthFieldNames"`
			`]`
			`},`
			`{`
			`"path": "github.com/pocketbase/pocketbase/daos",`
			`"symbols": [`
			`"Dao.CanAccessRecord",`
			`"Dao.CreateViewSchema",`
			`"Dao.Delete",`
			`"Dao.DeleteAdmin",`
			`"Dao.DeleteCollection",`
			`"Dao.DeleteExternalAuth",`
			`"Dao.DeleteOldLogs",`
			`"Dao.DeleteParam",`
			`"Dao.DeleteRecord",`
			`"Dao.DeleteTable",`
			`"Dao.DeleteView",`
			`"Dao.ExpandRecord",`
			`"Dao.ExpandRecords",`
			`"Dao.FindAdminByEmail",`
			`"Dao.FindAdminById",`
			`"Dao.FindAdminByToken",`
			`"Dao.FindAllExternalAuthsByRecord",`
			`"Dao.FindAuthRecordByEmail",`
			`"Dao.FindAuthRecordByToken",`
			`"Dao.FindAuthRecordByUsername",`
			`"Dao.FindById",`
			`"Dao.FindCollectionByNameOrId",`
			`"Dao.FindCollectionReferences",`
			`"Dao.FindCollectionsByType",`
			`"Dao.FindExternalAuthByRecordAndProvider",`
			`"Dao.FindFirstExternalAuthByExpr",`
			`"Dao.FindFirstRecordByData",`
			`"Dao.FindFirstRecordByFilter",`
			`"Dao.FindLogById",`
			`"Dao.FindParamByKey",`
			`"Dao.FindRecordById",`
			`"Dao.FindRecordByViewFile",`
			`"Dao.FindRecordsByExpr",`
			`"Dao.FindRecordsByFilter",`
			`"Dao.FindRecordsByIds",`
			`"Dao.FindSettings",`
			`"Dao.HasTable",`
			`"Dao.ImportCollections",`
			`"Dao.IsAdminEmailUnique",`
			`"Dao.IsCollectionNameUnique",`
			`"Dao.IsRecordValueUnique",`
			`"Dao.LogsStats",`
			`"Dao.RecordQuery",`
			`"Dao.RunInTransaction",`
			`"Dao.Save",`
			`"Dao.SaveAdmin",`
			`"Dao.SaveCollection",`
			`"Dao.SaveExternalAuth",`
			`"Dao.SaveLog",`
			`"Dao.SaveParam",`
			`"Dao.SaveRecord",`
			`"Dao.SaveSettings",`
			`"Dao.SaveView",`
			`"Dao.SuggestUniqueAuthRecordUsername",`
			`"Dao.SyncRecordTableSchema",`
			`"Dao.TableColumns",`
			`"Dao.TableIndexes",`
			`"Dao.TableInfo",`
			`"Dao.TotalAdmins",`
			`"Dao.Vacuum"`
			`]`
			`},`
			`{`
			`"path": "github.com/pocketbase/pocketbase/forms",`
			`"symbols": [`
			`"AdminLogin.Submit",`
			`"AdminLogin.Validate",`
			`"AdminPasswordResetConfirm.Submit",`
			`"AdminPasswordResetConfirm.Validate",`
			`"AdminPasswordResetRequest.Submit",`
			`"AdminPasswordResetRequest.Validate",`
			`"AdminUpsert.Submit",`
			`"AdminUpsert.Validate",`
			`"AppleClientSecretCreate.Submit",`
			`"AppleClientSecretCreate.Validate",`
			`"BackupCreate.Submit",`
			`"BackupCreate.Validate",`
			`"BackupUpload.Submit",`
			`"BackupUpload.Validate",`
			`"CollectionUpsert.Submit",`
			`"CollectionUpsert.Validate",`
			`"CollectionsImport.Submit",`
			`"CollectionsImport.Validate",`
			`"NewRecordUpsert",`
			`"RealtimeSubscribe.Validate",`
			`"RecordEmailChangeConfirm.Submit",`
			`"RecordEmailChangeConfirm.Validate",`
			`"RecordEmailChangeRequest.Submit",`
			`"RecordEmailChangeRequest.Validate",`
			`"RecordOAuth2Login.Submit",`
			`"RecordOAuth2Login.Validate",`
			`"RecordOAuth2Login.submit",`
			`"RecordPasswordLogin.Submit",`
			`"RecordPasswordLogin.Validate",`
			`"RecordPasswordResetConfirm.Submit",`
			`"RecordPasswordResetConfirm.Validate",`
			`"RecordPasswordResetRequest.Submit",`
			`"RecordPasswordResetRequest.Validate",`
			`"RecordUpsert.DrySubmit",`
			`"RecordUpsert.LoadData",`
			`"RecordUpsert.LoadRequest",`
			`"RecordUpsert.Submit",`
			`"RecordUpsert.Validate",`
			`"RecordUpsert.ValidateAndFill",`
			`"RecordVerificationConfirm.Submit",`
			`"RecordVerificationConfirm.Validate",`
			`"RecordVerificationRequest.Submit",`
			`"RecordVerificationRequest.Validate",`
			`"SettingsUpsert.Submit",`
			`"SettingsUpsert.Validate",`
			`"TestEmailSend.Submit",`
			`"TestEmailSend.Validate",`
			`"TestS3Filesystem.Submit",`
			`"TestS3Filesystem.Validate"`
			`]`
			`}`
			`]`
			`}`
			`}`
			`],`
			`"references": [`
			`{`
			`"type": "ADVISORY",`
			`"url": "https://github.com/pocketbase/pocketbase/security/advisories/GHSA-m93w-4fxv-r35v"`
			`},`
			`{`
			`"type": "FIX",`
			`"url": "https://github.com/pocketbase/pocketbase/commit/58ace5d5e7b9b979490019cf8d1b88491e5daec5"`
			`},`
			`{`
			`"type": "WEB",`
			`"url": "https://github.com/pocketbase/pocketbase/discussions/4355"`
			`}`
			`],`
			`"database_specific": {`
			`"url": "https://pkg.go.dev/vuln/GO-2024-2936",`
			`"review_status": "REVIEWED"`
			`}`
			`}`