CVE-2024-38351

Summary

CVE-2024-38351 is a vulnerability affecting Pocketbase, an open source web backend written in Go. Malicious users can potentially gain unauthorized access to other user accounts by exploiting a combination of OAuth2 and Password authentication methods. The attack scenario involves a malicious actor registering with the targeted user's email, followed by the targeted user granting access via OAuth2. Once the attacker associates the newly created account with the existing, unverified Pocketbase user, they can log in using the targeted user's email and original password. To mitigate this issue, Pocketbase now resets the password for previously created users during the linking process if they aren't verified. They also send an email alert to warn users who have logged in with a password but have at least one OAuth2 account linked. The vulnerability, which cannot be bypassed, has been addressed in version 0.22.14. Users are advised to update as soon as possible. Additional improvements, such as sending emails for "unrecognized device" logins and implementing OTP and MFA, are planned for future releases.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.