| id: GO-2024-2602 |
| modules: |
| - module: github.com/coder/coder |
| vulnerable_at: 0.27.3 |
| packages: |
| - package: github.com/coder/coder/coderd |
| symbols: |
| - Api.userOIDC |
| - API.New |
| - module: github.com/coder/coder/v2 |
| versions: |
| - fixed: 2.6.1 |
| - introduced: 2.7.0 |
| - fixed: 2.7.3 |
| - introduced: 2.8.0 |
| - fixed: 2.8.4 |
| vulnerable_at: 2.8.3 |
| packages: |
| - package: github.com/coder/coder/v2/coderd |
| symbols: |
| - Api.userOIDC |
| - Api.New |
| summary: Incorrect email domain verification in github.com/coder/coder |
| description: |- |
| A vulnerability in Coder's OIDC authentication could allow an attacker to bypass |
| the CODER_OIDC_EMAIL_DOMAIN verification and create an account with an email not |
| in the allowlist. Deployments are only affected if the OIDC provider allows |
| users to create accounts on the provider (such as public providers like |
| google.com). During OIDC registration, the user's email was improperly validated |
| against the allowed CODER_OIDC_EMAIL_DOMAINs. |
| cves: |
| - CVE-2024-27918 |
| ghsas: |
| - GHSA-7cc2-r658-7xpf |
| credits: |
| - arcz |
| - maxammann |
| references: |
| - advisory: https://github.com/coder/coder/security/advisories/GHSA-7cc2-r658-7xpf |
| - fix: https://github.com/coder/coder/commit/1171ce7add017481d28441575024209ac160ecb0 |
| - fix: https://github.com/coder/coder/commit/2ba84911f8b02605e5958d5e4a2fe3979ec50b31 |
| - fix: https://github.com/coder/coder/commit/2d37eb42e7db656e343fe1f36de5ab1a1a62f4fb |
| - fix: https://github.com/coder/coder/commit/4439a920e454a82565e445e4376c669e3b89591c |
| review_status: REVIEWED |
