CVE-2024-27918

HIGH EPSS 57.2%
Published Mar 21, 20242y ago · Modified Jun 17, 20262w ago
8.2 CVSS 3.1
High
Find Similar
Published Mar 21, 2024 2y ago
Last Modified Jun 17, 2026 2w ago

Description

Coder allows oragnizations to provision remote development environments via Terraform. Prior to versions 2.6.1, 2.7.3, and 2.8.4, a vulnerability in Coder's OIDC authentication could allow an attacker to bypass the `CODER_OIDC_EMAIL_DOMAIN` verification and create an account with an email not in the allowlist. Deployments are only affected if the OIDC provider allows users to create accounts on the provider. During OIDC registration, the user's email was improperly validated against the allowed `CODER_OIDC_EMAIL_DOMAIN`s. This could allow a user with a domain that only partially matched an allowed domain to successfully login or register. An attacker could register a domain name that exploited this vulnerability and register on a Coder instance with a public OIDC provider. Coder instances with OIDC enabled and protected by the `CODER_OIDC_EMAIL_DOMAIN` configuration are affected. Coder instances using a private OIDC provider are not affected, as arbitrary users cannot register through a private OIDC provider without first having an account on the provider. Public OIDC providers are impacted. GitHub authentication and external authentication are not impacted. This vulnerability is remedied in versions 2.8.4, 2.7.3, and 2.6.1 All versions prior to these patches are affected by the vulnerability.*It is recommended that customers upgrade their deployments as soon as possible if they are utilizing OIDC authentication with the `CODER_OIDC_EMAIL_DOMAIN` setting.

CVSS Details

Base Score
8.2
Exploitability
3.9
Impact
4.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
57.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-20 Improper Input Validation Validation

Affected Products 3

VendorProductVersionRange
codercoder* <2.6.1
codercoder*≥2.7.0  –  <2.7.3
codercoder*≥2.8.0  –  <2.8.4

References 5

  • github.com https://github.com/coder/coder/commit/1171ce7add017481d28441575024209ac160ecb0
    Patch
  • github.com https://github.com/coder/coder/commit/2ba84911f8b02605e5958d5e4a2fe3979ec50b31
    Patch
  • github.com https://github.com/coder/coder/commit/2d37eb42e7db656e343fe1f36de5ab1a1a62f4fb
    Patch
  • github.com https://github.com/coder/coder/commit/4439a920e454a82565e445e4376c669e3b89591c
    Patch
  • github.com https://github.com/coder/coder/security/advisories/GHSA-7cc2-r658-7xpf
    Vendor Advisory

Remediation

  • github.com https://github.com/coder/coder/commit/1171ce7add017481d28441575024209ac160ecb0
    Patch
  • github.com https://github.com/coder/coder/commit/2ba84911f8b02605e5958d5e4a2fe3979ec50b31
    Patch
  • github.com https://github.com/coder/coder/commit/2d37eb42e7db656e343fe1f36de5ab1a1a62f4fb
    Patch
  • github.com https://github.com/coder/coder/commit/4439a920e454a82565e445e4376c669e3b89591c
    Patch