Vulnerability Report: GO-2024-2936
- CVE-2024-38351, GHSA-m93w-4fxv-r35v
- Affects: github.com/pocketbase/pocketbase
- Published: Jul 01, 2024
PocketBase performs password auth and OAuth2 unverified email linking in github.com/pocketbase/pocketbase
For detailed information about this vulnerability, visit https://github.com/pocketbase/pocketbase/security/advisories/GHSA-m93w-4fxv-r35v.
Affected Packages
-
PathGo VersionsSymbols
-
before v0.22.14
-
before v0.22.14
40 affected symbols
- NewRecordFromNullStringMap
- NewRecordsFromNullStringMaps
- Record.CleanCopy
- Record.ColumnValueMap
- Record.Email
- Record.EmailVisibility
- Record.FindFileFieldByFile
- Record.Get
- Record.GetBool
- Record.GetDateTime
- Record.GetFloat
- Record.GetInt
- Record.GetString
- Record.GetStringSlice
- Record.GetTime
- Record.LastResetSentAt
- Record.LastVerificationSentAt
- Record.Load
- Record.MarshalJSON
- Record.OriginalCopy
- Record.PasswordHash
- Record.PublicExport
- Record.RefreshTokenKey
- Record.ReplaceModifers
- Record.Set
- Record.SetEmail
- Record.SetEmailVisibility
- Record.SetLastResetSentAt
- Record.SetLastVerificationSentAt
- Record.SetPassword
- Record.SetTokenKey
- Record.SetUsername
- Record.SetVerified
- Record.TokenKey
- Record.UnknownData
- Record.UnmarshalJSON
- Record.UnmarshalJSONField
- Record.Username
- Record.ValidatePassword
- Record.Verified
-
before v0.22.14
-
before v0.22.14
60 affected symbols
- Dao.CanAccessRecord
- Dao.CreateViewSchema
- Dao.Delete
- Dao.DeleteAdmin
- Dao.DeleteCollection
- Dao.DeleteExternalAuth
- Dao.DeleteOldLogs
- Dao.DeleteParam
- Dao.DeleteRecord
- Dao.DeleteTable
- Dao.DeleteView
- Dao.ExpandRecord
- Dao.ExpandRecords
- Dao.FindAdminByEmail
- Dao.FindAdminById
- Dao.FindAdminByToken
- Dao.FindAllExternalAuthsByRecord
- Dao.FindAuthRecordByEmail
- Dao.FindAuthRecordByToken
- Dao.FindAuthRecordByUsername
- Dao.FindById
- Dao.FindCollectionByNameOrId
- Dao.FindCollectionReferences
- Dao.FindCollectionsByType
- Dao.FindExternalAuthByRecordAndProvider
- Dao.FindFirstExternalAuthByExpr
- Dao.FindFirstRecordByData
- Dao.FindFirstRecordByFilter
- Dao.FindLogById
- Dao.FindParamByKey
- Dao.FindRecordById
- Dao.FindRecordByViewFile
- Dao.FindRecordsByExpr
- Dao.FindRecordsByFilter
- Dao.FindRecordsByIds
- Dao.FindSettings
- Dao.HasTable
- Dao.ImportCollections
- Dao.IsAdminEmailUnique
- Dao.IsCollectionNameUnique
- Dao.IsRecordValueUnique
- Dao.LogsStats
- Dao.RecordQuery
- Dao.RunInTransaction
- Dao.Save
- Dao.SaveAdmin
- Dao.SaveCollection
- Dao.SaveExternalAuth
- Dao.SaveLog
- Dao.SaveParam
- Dao.SaveRecord
- Dao.SaveSettings
- Dao.SaveView
- Dao.SuggestUniqueAuthRecordUsername
- Dao.SyncRecordTableSchema
- Dao.TableColumns
- Dao.TableIndexes
- Dao.TableInfo
- Dao.TotalAdmins
- Dao.Vacuum
-
before v0.22.14
48 affected symbols
- AdminLogin.Submit
- AdminLogin.Validate
- AdminPasswordResetConfirm.Submit
- AdminPasswordResetConfirm.Validate
- AdminPasswordResetRequest.Submit
- AdminPasswordResetRequest.Validate
- AdminUpsert.Submit
- AdminUpsert.Validate
- AppleClientSecretCreate.Submit
- AppleClientSecretCreate.Validate
- BackupCreate.Submit
- BackupCreate.Validate
- BackupUpload.Submit
- BackupUpload.Validate
- CollectionUpsert.Submit
- CollectionUpsert.Validate
- CollectionsImport.Submit
- CollectionsImport.Validate
- NewRecordUpsert
- RealtimeSubscribe.Validate
- RecordEmailChangeConfirm.Submit
- RecordEmailChangeConfirm.Validate
- RecordEmailChangeRequest.Submit
- RecordEmailChangeRequest.Validate
- RecordOAuth2Login.Submit
- RecordOAuth2Login.Validate
- RecordPasswordLogin.Submit
- RecordPasswordLogin.Validate
- RecordPasswordResetConfirm.Submit
- RecordPasswordResetConfirm.Validate
- RecordPasswordResetRequest.Submit
- RecordPasswordResetRequest.Validate
- RecordUpsert.DrySubmit
- RecordUpsert.LoadData
- RecordUpsert.LoadRequest
- RecordUpsert.Submit
- RecordUpsert.Validate
- RecordUpsert.ValidateAndFill
- RecordVerificationConfirm.Submit
- RecordVerificationConfirm.Validate
- RecordVerificationRequest.Submit
- RecordVerificationRequest.Validate
- SettingsUpsert.Submit
- SettingsUpsert.Validate
- TestEmailSend.Submit
- TestEmailSend.Validate
- TestS3Filesystem.Submit
- TestS3Filesystem.Validate
Aliases
References
- https://github.com/pocketbase/pocketbase/security/advisories/GHSA-m93w-4fxv-r35v
- https://github.com/pocketbase/pocketbase/commit/58ace5d5e7b9b979490019cf8d1b88491e5daec5
- https://github.com/pocketbase/pocketbase/discussions/4355
- https://vuln.go.dev/ID/GO-2024-2936.json
Feedback
See anything missing or incorrect?
Suggest an edit to this report.