CVE-2024-27918
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Summary
Coder allows oragnizations to provision remote development environments via Terraform. Prior to versions 2.6.1, 2.7.3, and 2.8.4, a vulnerability in Coder's OIDC authentication could allow an attacker to bypass the CODER_OIDC_EMAIL_DOMAIN verification and create an account with an email not in the allowlist. Deployments are only affected if the OIDC provider allows users to create accounts on the provider. During OIDC registration, the user's email was improperly validated against the allowed CODER_OIDC_EMAIL_DOMAINs. This could allow a user with a domain that only partially matched an allowed domain to successfully login or register. An attacker could register a domain name that exploited this vulnerability and register on a Coder instance with a public OIDC provider.
Coder instances with OIDC enabled and protected by the CODER_OIDC_EMAIL_DOMAIN configuration are affected. Coder instances using a private OIDC provider are not affected, as arbitrary users cannot register through a private OIDC provider without first having an account on the provider. Public OIDC providers are impacted. GitHub authentication and external authentication are not impacted. This vulnerability is remedied in versions 2.8.4, 2.7.3, and 2.6.1 All versions prior to these patches are affected by the vulnerability.*It is recommended that customers upgrade their deployments as soon as possible if they are utilizing OIDC authentication with the CODER_OIDC_EMAIL_DOMAIN setting.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| coder | coder | >= 2.8.0, < 2.8.4 | affected |
| coder | coder | >= 2.7.0, < 2.7.3 | affected |
| coder | coder | < 2.6.1 | affected |
Weaknesses
- CWE-20: CWE-20: Improper Input Validation
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/coder/coder/security/advisories/GHSA-7cc2-r658-7xpf
- https://github.com/coder/coder/commit/1171ce7add017481d28441575024209ac160ecb0
- https://github.com/coder/coder/commit/2ba84911f8b02605e5958d5e4a2fe3979ec50b31
- https://github.com/coder/coder/commit/2d37eb42e7db656e343fe1f36de5ab1a1a62f4fb
- https://github.com/coder/coder/commit/4439a920e454a82565e445e4376c669e3b89591c
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/coder/coder/security/advisories/GHSA-7cc2-r658-7xpf
- https://github.com/coder/coder/commit/1171ce7add017481d28441575024209ac160ecb0
- https://github.com/coder/coder/commit/2ba84911f8b02605e5958d5e4a2fe3979ec50b31
- https://github.com/coder/coder/commit/2d37eb42e7db656e343fe1f36de5ab1a1a62f4fb
- https://github.com/coder/coder/commit/4439a920e454a82565e445e4376c669e3b89591c
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.