{ "schema_version": "1.3.1", "id": "GO-2024-2936", "modified": "0001-01-01T00:00:00Z", "published": "0001-01-01T00:00:00Z", "aliases": [ "CVE-2024-38351", "GHSA-m93w-4fxv-r35v" ], "summary": "PocketBase performs password auth and OAuth2 unverified email linking in github.com/pocketbase/pocketbase", "details": "PocketBase performs password auth and OAuth2 unverified email linking in github.com/pocketbase/pocketbase", "affected": [ { "package": { "name": "github.com/pocketbase/pocketbase", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.22.14" } ] } ], "ecosystem_specific": { "imports": [ { "path": "github.com/pocketbase/pocketbase/apis", "symbols": [ "EnrichRecord", "EnrichRecords", "RecordAuthResponse", "Serve", "recordAuthApi.authWithOAuth2", "recordAuthApi.authWithPassword" ] }, { "path": "github.com/pocketbase/pocketbase/models", "symbols": [ "NewRecordFromNullStringMap", "NewRecordsFromNullStringMaps", "Record.CleanCopy", "Record.ColumnValueMap", "Record.Email", "Record.EmailVisibility", "Record.FindFileFieldByFile", "Record.Get", "Record.GetBool", "Record.GetDateTime", "Record.GetFloat", "Record.GetInt", "Record.GetString", "Record.GetStringSlice", "Record.GetTime", "Record.LastResetSentAt", "Record.LastVerificationSentAt", "Record.Load", "Record.MarshalJSON", "Record.OriginalCopy", "Record.PasswordHash", "Record.PublicExport", "Record.RefreshTokenKey", "Record.ReplaceModifers", "Record.Set", "Record.SetEmail", "Record.SetEmailVisibility", "Record.SetLastResetSentAt", "Record.SetLastVerificationSentAt", "Record.SetPassword", "Record.SetTokenKey", "Record.SetUsername", "Record.SetVerified", "Record.TokenKey", "Record.UnknownData", "Record.UnmarshalJSON", "Record.UnmarshalJSONField", "Record.Username", "Record.ValidatePassword", "Record.Verified", "Record.getNormalizeDataValueForDB" ] }, { "path": "github.com/pocketbase/pocketbase/models/schema", "symbols": [ "AuthFieldNames" ] }, { "path": "github.com/pocketbase/pocketbase/daos", "symbols": [ "Dao.CanAccessRecord", "Dao.CreateViewSchema", "Dao.Delete", "Dao.DeleteAdmin", "Dao.DeleteCollection", "Dao.DeleteExternalAuth", "Dao.DeleteOldLogs", "Dao.DeleteParam", "Dao.DeleteRecord", "Dao.DeleteTable", "Dao.DeleteView", "Dao.ExpandRecord", "Dao.ExpandRecords", "Dao.FindAdminByEmail", "Dao.FindAdminById", "Dao.FindAdminByToken", "Dao.FindAllExternalAuthsByRecord", "Dao.FindAuthRecordByEmail", "Dao.FindAuthRecordByToken", "Dao.FindAuthRecordByUsername", "Dao.FindById", "Dao.FindCollectionByNameOrId", "Dao.FindCollectionReferences", "Dao.FindCollectionsByType", "Dao.FindExternalAuthByRecordAndProvider", "Dao.FindFirstExternalAuthByExpr", "Dao.FindFirstRecordByData", "Dao.FindFirstRecordByFilter", "Dao.FindLogById", "Dao.FindParamByKey", "Dao.FindRecordById", "Dao.FindRecordByViewFile", "Dao.FindRecordsByExpr", "Dao.FindRecordsByFilter", "Dao.FindRecordsByIds", "Dao.FindSettings", "Dao.HasTable", "Dao.ImportCollections", "Dao.IsAdminEmailUnique", "Dao.IsCollectionNameUnique", "Dao.IsRecordValueUnique", "Dao.LogsStats", "Dao.RecordQuery", "Dao.RunInTransaction", "Dao.Save", "Dao.SaveAdmin", "Dao.SaveCollection", "Dao.SaveExternalAuth", "Dao.SaveLog", "Dao.SaveParam", "Dao.SaveRecord", "Dao.SaveSettings", "Dao.SaveView", "Dao.SuggestUniqueAuthRecordUsername", "Dao.SyncRecordTableSchema", "Dao.TableColumns", "Dao.TableIndexes", "Dao.TableInfo", "Dao.TotalAdmins", "Dao.Vacuum" ] }, { "path": "github.com/pocketbase/pocketbase/forms", "symbols": [ "AdminLogin.Submit", "AdminLogin.Validate", "AdminPasswordResetConfirm.Submit", "AdminPasswordResetConfirm.Validate", "AdminPasswordResetRequest.Submit", "AdminPasswordResetRequest.Validate", "AdminUpsert.Submit", "AdminUpsert.Validate", "AppleClientSecretCreate.Submit", "AppleClientSecretCreate.Validate", "BackupCreate.Submit", "BackupCreate.Validate", "BackupUpload.Submit", "BackupUpload.Validate", "CollectionUpsert.Submit", "CollectionUpsert.Validate", "CollectionsImport.Submit", "CollectionsImport.Validate", "NewRecordUpsert", "RealtimeSubscribe.Validate", "RecordEmailChangeConfirm.Submit", "RecordEmailChangeConfirm.Validate", "RecordEmailChangeRequest.Submit", "RecordEmailChangeRequest.Validate", "RecordOAuth2Login.Submit", "RecordOAuth2Login.Validate", "RecordOAuth2Login.submit", "RecordPasswordLogin.Submit", "RecordPasswordLogin.Validate", "RecordPasswordResetConfirm.Submit", "RecordPasswordResetConfirm.Validate", "RecordPasswordResetRequest.Submit", "RecordPasswordResetRequest.Validate", "RecordUpsert.DrySubmit", "RecordUpsert.LoadData", "RecordUpsert.LoadRequest", "RecordUpsert.Submit", "RecordUpsert.Validate", "RecordUpsert.ValidateAndFill", "RecordVerificationConfirm.Submit", "RecordVerificationConfirm.Validate", "RecordVerificationRequest.Submit", "RecordVerificationRequest.Validate", "SettingsUpsert.Submit", "SettingsUpsert.Validate", "TestEmailSend.Submit", "TestEmailSend.Validate", "TestS3Filesystem.Submit", "TestS3Filesystem.Validate" ] } ] } } ], "references": [ { "type": "ADVISORY", "url": "https://github.com/pocketbase/pocketbase/security/advisories/GHSA-m93w-4fxv-r35v" }, { "type": "FIX", "url": "https://github.com/pocketbase/pocketbase/commit/58ace5d5e7b9b979490019cf8d1b88491e5daec5" }, { "type": "WEB", "url": "https://github.com/pocketbase/pocketbase/discussions/4355" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2024-2936", "review_status": "REVIEWED" } }