8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
7 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.7%
A vulnerability in Coderβs OIDC authentication could allow an attacker to bypass the CODER_OIDC_EMAIL_DOMAIN
verification and create an account with an email not in the allowlist. Deployments are only affected if the OIDC provider allows users to create accounts on the provider (such as public providers like google.com
).
During OIDC registration, the userβs email was improperly validated against the allowed CODER_OIDC_EMAIL_DOMAIN
s. This could allow a user with a domain that only partially matched an allowed domain to successfully login or register (e.g. [email protected]
would match the allowed domain corp.com
).
An attacker could register a domain name that exploited this vulnerability and register on a Coder instance with a public OIDC provider.
Coder instances with OIDC enabled and protected by the CODER_OIDC_EMAIL_DOMAIN
configuration.
Coder instances using a private OIDC provider are not affected, as arbitrary users cannot register through a private OIDC provider without first having an account on the provider.
Public OIDC providers (such as google.com
without permitted domains set on the OAuth2 App) are impacted.
GitHub authentication and external authentication are not impacted.
To check if your deployment was exploited:
action:register
filter)@exploitcorp.com
instead of @corp.com
)This vulnerability is remedied in
All versions prior to these patches are affected by the vulnerability. It is recommended that customers upgrade their deployments as soon as possible if they are utilizing OIDC authentication with the CODER_OIDC_EMAIL_DOMAIN
setting.
https://github.com/coder/coder/security/advisories/GHSA-7cc2-r658-7xpf
https://github.com/coder/coder/commit/4439a920e454a82565e445e4376c669e3b89591c
https://nvd.nist.gov/vuln/detail/CVE-2024-27918
github.com/coder/coder
github.com/coder/coder/commit/1171ce7add017481d28441575024209ac160ecb0
github.com/coder/coder/commit/2ba84911f8b02605e5958d5e4a2fe3979ec50b31
github.com/coder/coder/commit/2d37eb42e7db656e343fe1f36de5ab1a1a62f4fb
github.com/coder/coder/commit/4439a920e454a82565e445e4376c669e3b89591c
github.com/coder/coder/security/advisories/GHSA-7cc2-r658-7xpf
nvd.nist.gov/vuln/detail/CVE-2024-27918
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
7 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.7%