Google Git
Sign in
go / vulndb / 842487caaa036933f988cb3f54162dce2886711a / . / data / osv / GO-2024-2936.json
blob: d3f56d8a715da3884f0027fa60fda816fe72f115 [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2024-2936",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2024-38351",
"GHSA-m93w-4fxv-r35v"
],
"summary": "PocketBase performs password auth and OAuth2 unverified email linking in github.com/pocketbase/pocketbase",
"details": "PocketBase performs password auth and OAuth2 unverified email linking in github.com/pocketbase/pocketbase",
"affected": [
{
"package": {
"name": "github.com/pocketbase/pocketbase",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.22.14"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/pocketbase/pocketbase/apis",
"symbols": [
"EnrichRecord",
"EnrichRecords",
"RecordAuthResponse",
"Serve",
"recordAuthApi.authWithOAuth2",
"recordAuthApi.authWithPassword"
]
},
{
"path": "github.com/pocketbase/pocketbase/models",
"symbols": [
"NewRecordFromNullStringMap",
"NewRecordsFromNullStringMaps",
"Record.CleanCopy",
"Record.ColumnValueMap",
"Record.Email",
"Record.EmailVisibility",
"Record.FindFileFieldByFile",
"Record.Get",
"Record.GetBool",
"Record.GetDateTime",
"Record.GetFloat",
"Record.GetInt",
"Record.GetString",
"Record.GetStringSlice",
"Record.GetTime",
"Record.LastResetSentAt",
"Record.LastVerificationSentAt",
"Record.Load",
"Record.MarshalJSON",
"Record.OriginalCopy",
"Record.PasswordHash",
"Record.PublicExport",
"Record.RefreshTokenKey",
"Record.ReplaceModifers",
"Record.Set",
"Record.SetEmail",
"Record.SetEmailVisibility",
"Record.SetLastResetSentAt",
"Record.SetLastVerificationSentAt",
"Record.SetPassword",
"Record.SetTokenKey",
"Record.SetUsername",
"Record.SetVerified",
"Record.TokenKey",
"Record.UnknownData",
"Record.UnmarshalJSON",
"Record.UnmarshalJSONField",
"Record.Username",
"Record.ValidatePassword",
"Record.Verified",
"Record.getNormalizeDataValueForDB"
]
},
{
"path": "github.com/pocketbase/pocketbase/models/schema",
"symbols": [
"AuthFieldNames"
]
},
{
"path": "github.com/pocketbase/pocketbase/daos",
"symbols": [
"Dao.CanAccessRecord",
"Dao.CreateViewSchema",
"Dao.Delete",
"Dao.DeleteAdmin",
"Dao.DeleteCollection",
"Dao.DeleteExternalAuth",
"Dao.DeleteOldLogs",
"Dao.DeleteParam",
"Dao.DeleteRecord",
"Dao.DeleteTable",
"Dao.DeleteView",
"Dao.ExpandRecord",
"Dao.ExpandRecords",
"Dao.FindAdminByEmail",
"Dao.FindAdminById",
"Dao.FindAdminByToken",
"Dao.FindAllExternalAuthsByRecord",
"Dao.FindAuthRecordByEmail",
"Dao.FindAuthRecordByToken",
"Dao.FindAuthRecordByUsername",
"Dao.FindById",
"Dao.FindCollectionByNameOrId",
"Dao.FindCollectionReferences",
"Dao.FindCollectionsByType",
"Dao.FindExternalAuthByRecordAndProvider",
"Dao.FindFirstExternalAuthByExpr",
"Dao.FindFirstRecordByData",
"Dao.FindFirstRecordByFilter",
"Dao.FindLogById",
"Dao.FindParamByKey",
"Dao.FindRecordById",
"Dao.FindRecordByViewFile",
"Dao.FindRecordsByExpr",
"Dao.FindRecordsByFilter",
"Dao.FindRecordsByIds",
"Dao.FindSettings",
"Dao.HasTable",
"Dao.ImportCollections",
"Dao.IsAdminEmailUnique",
"Dao.IsCollectionNameUnique",
"Dao.IsRecordValueUnique",
"Dao.LogsStats",
"Dao.RecordQuery",
"Dao.RunInTransaction",
"Dao.Save",
"Dao.SaveAdmin",
"Dao.SaveCollection",
"Dao.SaveExternalAuth",
"Dao.SaveLog",
"Dao.SaveParam",
"Dao.SaveRecord",
"Dao.SaveSettings",
"Dao.SaveView",
"Dao.SuggestUniqueAuthRecordUsername",
"Dao.SyncRecordTableSchema",
"Dao.TableColumns",
"Dao.TableIndexes",
"Dao.TableInfo",
"Dao.TotalAdmins",
"Dao.Vacuum"
]
},
{
"path": "github.com/pocketbase/pocketbase/forms",
"symbols": [
"AdminLogin.Submit",
"AdminLogin.Validate",
"AdminPasswordResetConfirm.Submit",
"AdminPasswordResetConfirm.Validate",
"AdminPasswordResetRequest.Submit",
"AdminPasswordResetRequest.Validate",
"AdminUpsert.Submit",
"AdminUpsert.Validate",
"AppleClientSecretCreate.Submit",
"AppleClientSecretCreate.Validate",
"BackupCreate.Submit",
"BackupCreate.Validate",
"BackupUpload.Submit",
"BackupUpload.Validate",
"CollectionUpsert.Submit",
"CollectionUpsert.Validate",
"CollectionsImport.Submit",
"CollectionsImport.Validate",
"NewRecordUpsert",
"RealtimeSubscribe.Validate",
"RecordEmailChangeConfirm.Submit",
"RecordEmailChangeConfirm.Validate",
"RecordEmailChangeRequest.Submit",
"RecordEmailChangeRequest.Validate",
"RecordOAuth2Login.Submit",
"RecordOAuth2Login.Validate",
"RecordOAuth2Login.submit",
"RecordPasswordLogin.Submit",
"RecordPasswordLogin.Validate",
"RecordPasswordResetConfirm.Submit",
"RecordPasswordResetConfirm.Validate",
"RecordPasswordResetRequest.Submit",
"RecordPasswordResetRequest.Validate",
"RecordUpsert.DrySubmit",
"RecordUpsert.LoadData",
"RecordUpsert.LoadRequest",
"RecordUpsert.Submit",
"RecordUpsert.Validate",
"RecordUpsert.ValidateAndFill",
"RecordVerificationConfirm.Submit",
"RecordVerificationConfirm.Validate",
"RecordVerificationRequest.Submit",
"RecordVerificationRequest.Validate",
"SettingsUpsert.Submit",
"SettingsUpsert.Validate",
"TestEmailSend.Submit",
"TestEmailSend.Validate",
"TestS3Filesystem.Submit",
"TestS3Filesystem.Validate"
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/pocketbase/pocketbase/security/advisories/GHSA-m93w-4fxv-r35v"
},
{
"type": "FIX",
"url": "https://github.com/pocketbase/pocketbase/commit/58ace5d5e7b9b979490019cf8d1b88491e5daec5"
},
{
"type": "WEB",
"url": "https://github.com/pocketbase/pocketbase/discussions/4355"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-2936",
"review_status": "REVIEWED"
}
}