CVE-2024-27918

CVSS 3.1 Score 8.2 of 10 (high)

Details

Published Mar 21, 2024
CWE ID 20

Summary

CVE-2024-27918 is a vulnerability in Coder's OIDC authentication that affects instances of Coder with OIDC enabled and protected by the CODER_OIDC_EMAIL_DOMAIN configuration. Versions prior to 2.6.1, 2.7.3, and 2.8.4 are vulnerable. The vulnerability allows an attacker to bypass email domain verification and create an account with an email not in the allowlist if the OIDC provider allows users to create accounts on the provider. An attacker could exploit this by registering a domain name that partially matches an allowed domain and then register on a Coder instance with a public OIDC provider. The potential danger posed is high as it could allow unauthorized access to the organization's development environments. To remediate the vulnerability, affected organizations should update to versions 2.6.1, 2.7.3, or 2.8.4 of Coder or apply any patches provided by the vendor.

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2024-27918 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options