{"id":"GO-2024-2936","summary":"PocketBase performs password auth and OAuth2 unverified email linking in github.com/pocketbase/pocketbase","details":"PocketBase performs password auth and OAuth2 unverified email linking in github.com/pocketbase/pocketbase","aliases":["CVE-2024-38351","GHSA-m93w-4fxv-r35v"],"modified":"2024-07-01T20:29:10.679879Z","published":"2024-07-01T19:59:12Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2024-2936","review_status":"REVIEWED"},"references":[{"type":"ADVISORY","url":"https://github.com/pocketbase/pocketbase/security/advisories/GHSA-m93w-4fxv-r35v"},{"type":"FIX","url":"https://github.com/pocketbase/pocketbase/commit/58ace5d5e7b9b979490019cf8d1b88491e5daec5"},{"type":"WEB","url":"https://github.com/pocketbase/pocketbase/discussions/4355"}],"affected":[{"package":{"name":"github.com/pocketbase/pocketbase","ecosystem":"Go","purl":"pkg:golang/github.com/pocketbase/pocketbase"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.22.14"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/pocketbase/pocketbase/apis","symbols":["EnrichRecord","EnrichRecords","RecordAuthResponse","Serve","recordAuthApi.authWithOAuth2","recordAuthApi.authWithPassword"]},{"path":"github.com/pocketbase/pocketbase/models","symbols":["NewRecordFromNullStringMap","NewRecordsFromNullStringMaps","Record.CleanCopy","Record.ColumnValueMap","Record.Email","Record.EmailVisibility","Record.FindFileFieldByFile","Record.Get","Record.GetBool","Record.GetDateTime","Record.GetFloat","Record.GetInt","Record.GetString","Record.GetStringSlice","Record.GetTime","Record.LastResetSentAt","Record.LastVerificationSentAt","Record.Load","Record.MarshalJSON","Record.OriginalCopy","Record.PasswordHash","Record.PublicExport","Record.RefreshTokenKey","Record.ReplaceModifers","Record.Set","Record.SetEmail","Record.SetEmailVisibility","Record.SetLastResetSentAt","Record.SetLastVerificationSentAt","Record.SetPassword","Record.SetTokenKey","Record.SetUsername","Record.SetVerified","Record.TokenKey","Record.UnknownData","Record.UnmarshalJSON","Record.UnmarshalJSONField","Record.Username","Record.ValidatePassword","Record.Verified","Record.getNormalizeDataValueForDB"]},{"path":"github.com/pocketbase/pocketbase/models/schema","symbols":["AuthFieldNames"]},{"path":"github.com/pocketbase/pocketbase/daos","symbols":["Dao.CanAccessRecord","Dao.CreateViewSchema","Dao.Delete","Dao.DeleteAdmin","Dao.DeleteCollection","Dao.DeleteExternalAuth","Dao.DeleteOldLogs","Dao.DeleteParam","Dao.DeleteRecord","Dao.DeleteTable","Dao.DeleteView","Dao.ExpandRecord","Dao.ExpandRecords","Dao.FindAdminByEmail","Dao.FindAdminById","Dao.FindAdminByToken","Dao.FindAllExternalAuthsByRecord","Dao.FindAuthRecordByEmail","Dao.FindAuthRecordByToken","Dao.FindAuthRecordByUsername","Dao.FindById","Dao.FindCollectionByNameOrId","Dao.FindCollectionReferences","Dao.FindCollectionsByType","Dao.FindExternalAuthByRecordAndProvider","Dao.FindFirstExternalAuthByExpr","Dao.FindFirstRecordByData","Dao.FindFirstRecordByFilter","Dao.FindLogById","Dao.FindParamByKey","Dao.FindRecordById","Dao.FindRecordByViewFile","Dao.FindRecordsByExpr","Dao.FindRecordsByFilter","Dao.FindRecordsByIds","Dao.FindSettings","Dao.HasTable","Dao.ImportCollections","Dao.IsAdminEmailUnique","Dao.IsCollectionNameUnique","Dao.IsRecordValueUnique","Dao.LogsStats","Dao.RecordQuery","Dao.RunInTransaction","Dao.Save","Dao.SaveAdmin","Dao.SaveCollection","Dao.SaveExternalAuth","Dao.SaveLog","Dao.SaveParam","Dao.SaveRecord","Dao.SaveSettings","Dao.SaveView","Dao.SuggestUniqueAuthRecordUsername","Dao.SyncRecordTableSchema","Dao.TableColumns","Dao.TableIndexes","Dao.TableInfo","Dao.TotalAdmins","Dao.Vacuum"]},{"path":"github.com/pocketbase/pocketbase/forms","symbols":["AdminLogin.Submit","AdminLogin.Validate","AdminPasswordResetConfirm.Submit","AdminPasswordResetConfirm.Validate","AdminPasswordResetRequest.Submit","AdminPasswordResetRequest.Validate","AdminUpsert.Submit","AdminUpsert.Validate","AppleClientSecretCreate.Submit","AppleClientSecretCreate.Validate","BackupCreate.Submit","BackupCreate.Validate","BackupUpload.Submit","BackupUpload.Validate","CollectionUpsert.Submit","CollectionUpsert.Validate","CollectionsImport.Submit","CollectionsImport.Validate","NewRecordUpsert","RealtimeSubscribe.Validate","RecordEmailChangeConfirm.Submit","RecordEmailChangeConfirm.Validate","RecordEmailChangeRequest.Submit","RecordEmailChangeRequest.Validate","RecordOAuth2Login.Submit","RecordOAuth2Login.Validate","RecordOAuth2Login.submit","RecordPasswordLogin.Submit","RecordPasswordLogin.Validate","RecordPasswordResetConfirm.Submit","RecordPasswordResetConfirm.Validate","RecordPasswordResetRequest.Submit","RecordPasswordResetRequest.Validate","RecordUpsert.DrySubmit","RecordUpsert.LoadData","RecordUpsert.LoadRequest","RecordUpsert.Submit","RecordUpsert.Validate","RecordUpsert.ValidateAndFill","RecordVerificationConfirm.Submit","RecordVerificationConfirm.Validate","RecordVerificationRequest.Submit","RecordVerificationRequest.Validate","SettingsUpsert.Submit","SettingsUpsert.Validate","TestEmailSend.Submit","TestEmailSend.Validate","TestS3Filesystem.Submit","TestS3Filesystem.Validate"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2936.json"}}],"schema_version":"1.7.3"}