commit 8a964d64d73dda59f0fe48106dbc22ce1fbea672
author Maceo Thompson <maceothompson@google.com> Sat Mar 09 15:24:55 2024 -0500
committer Gopher Robot <gobot@golang.org> Mon Mar 11 19:00:01 2024 +0000
tree ae80d992f60419c5676db49a5c842f45b8eab6bc
parent 18f12695df511f9a3acb34df5ecaaa68fd18a320

data/reports: add GO-2024-2602.yaml

Aliases: CVE-2024-27918, GHSA-7cc2-r658-7xpf

Fixes golang/vulndb#2602

Change-Id: I977a4b63e73049b5b5404b53bdb38497fbd0a131
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/570716
Auto-Submit: Maceo Thompson <maceothompson@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

data/osv/GO-2024-2602.json

diff --git a/data/osv/GO-2024-2602.json b/data/osv/GO-2024-2602.json
new file mode 100644
index 0000000..b2c663e
--- /dev/null
+++ b/data/osv/GO-2024-2602.json
@@ -0,0 +1,116 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2602",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-27918",
+    "GHSA-7cc2-r658-7xpf"
+  ],
+  "summary": "Incorrect email domain verification in github.com/coder/coder",
+  "details": "A vulnerability in Coder's OIDC authentication could allow an attacker to bypass the CODER_OIDC_EMAIL_DOMAIN verification and create an account with an email not in the allowlist. Deployments are only affected if the OIDC provider allows users to create accounts on the provider (such as public providers like google.com). During OIDC registration, the user's email was improperly validated against the allowed CODER_OIDC_EMAIL_DOMAINs.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/coder/coder",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/coder/coder/coderd",
+            "symbols": [
+              "API.New",
+              "Api.userOIDC"
+            ]
+          }
+        ]
+      }
+    },
+    {
+      "package": {
+        "name": "github.com/coder/coder/v2",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.6.1"
+            },
+            {
+              "introduced": "2.7.0"
+            },
+            {
+              "fixed": "2.7.3"
+            },
+            {
+              "introduced": "2.8.0"
+            },
+            {
+              "fixed": "2.8.4"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/coder/coder/v2/coderd",
+            "symbols": [
+              "Api.New",
+              "Api.userOIDC"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/coder/coder/security/advisories/GHSA-7cc2-r658-7xpf"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/coder/coder/commit/1171ce7add017481d28441575024209ac160ecb0"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/coder/coder/commit/2ba84911f8b02605e5958d5e4a2fe3979ec50b31"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/coder/coder/commit/2d37eb42e7db656e343fe1f36de5ab1a1a62f4fb"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/coder/coder/commit/4439a920e454a82565e445e4376c669e3b89591c"
+    }
+  ],
+  "credits": [
+    {
+      "name": "arcz"
+    },
+    {
+      "name": "maxammann"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2602"
+  }
+}
\ No newline at end of file

data/reports/GO-2024-2602.yaml

diff --git a/data/reports/GO-2024-2602.yaml b/data/reports/GO-2024-2602.yaml
new file mode 100644
index 0000000..f3b8377
--- /dev/null
+++ b/data/reports/GO-2024-2602.yaml
@@ -0,0 +1,43 @@
+id: GO-2024-2602
+modules:
+    - module: github.com/coder/coder
+      vulnerable_at: 0.27.3
+      packages:
+        - package: github.com/coder/coder/coderd
+          symbols:
+            - Api.userOIDC
+            - API.New
+    - module: github.com/coder/coder/v2
+      versions:
+        - fixed: 2.6.1
+        - introduced: 2.7.0
+          fixed: 2.7.3
+        - introduced: 2.8.0
+          fixed: 2.8.4
+      vulnerable_at: 2.8.3
+      packages:
+        - package: github.com/coder/coder/v2/coderd
+          symbols:
+            - Api.userOIDC
+            - Api.New
+summary: Incorrect email domain verification in github.com/coder/coder
+description: |-
+    A vulnerability in Coder's OIDC authentication could allow an attacker to bypass
+    the CODER_OIDC_EMAIL_DOMAIN verification and create an account with an email
+    not in the allowlist. Deployments are only affected if the OIDC provider allows
+    users to create accounts on the provider (such as public providers like
+    google.com). During OIDC registration, the user's email was improperly
+    validated against the allowed CODER_OIDC_EMAIL_DOMAINs.
+cves:
+    - CVE-2024-27918
+ghsas:
+    - GHSA-7cc2-r658-7xpf
+credits:
+    - arcz
+    - maxammann
+references:
+    - advisory: https://github.com/coder/coder/security/advisories/GHSA-7cc2-r658-7xpf
+    - fix: https://github.com/coder/coder/commit/1171ce7add017481d28441575024209ac160ecb0
+    - fix: https://github.com/coder/coder/commit/2ba84911f8b02605e5958d5e4a2fe3979ec50b31
+    - fix: https://github.com/coder/coder/commit/2d37eb42e7db656e343fe1f36de5ab1a1a62f4fb
+    - fix: https://github.com/coder/coder/commit/4439a920e454a82565e445e4376c669e3b89591c