CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
EPSS
Percentile
9.0%
In order to be exploited you must have both OAuth2 and Password auth methods enabled.
A possible attack scenario could be:
To prevent this for happening we now reset the password for this specific case if the previously created user wasn’t verified (an exception to this is if the linking is explicit/manual, aka. when you send Authorization:TOKEN
with the OAuth2 auth call).
Additionally to warn existing users we now send an email alert in case the user has logged in with password but has at least one OAuth2 account linked. It looks something like:
Hello,
Just to let you know that someone has logged in to your Acme account using a password while you already have OAuth2 GitLab auth linked.
If you have recently signed in with a password, you may disregard this email.
If you don’t recognize the above action, you should immediately change your Acme account password.
Thanks,
Acme team
The flow will be further improved with the ongoing refactoring and we will start sending emails for “unrecognized device” logins (OTP and MFA is already implemented and will be available with the next v0.23.0 release in the near future).
Vendor | Product | Version | CPE |
---|---|---|---|
pocketbase | pocketbase | * | cpe:2.3:a:pocketbase:pocketbase:*:*:*:*:*:*:*:* |