x/vulndb: potential Go vuln in github.com/pocketbase/pocketbase: CVE-2024-38351

[GoVulnBot]

Advisory CVE-2024-38351 references a vulnerability in the following Go modules:

Module
github.com/pocketbase/pocketbase

Description:
Pocketbase is an open source web backend written in go. In affected versions a
malicious user may be able to compromise other user accounts. In order to be
exploited users must have both OAuth2 and Password auth methods enabled. A
possible attack scenario could be: 1. a malicious actor register with the
targeted user's email (it is unverified), 2. at some later point in time the
targeted user stumble on your app and decides to sign-up with OAuth2 (this step
could be also initiated by the attacker by sending an invite email to the
targeted user), 3. on successful OAuth2 auth we search for an ...

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-38351
• WEB: Planned refactoring and temporary feature freeze pocketbase/pocketbase#4355
• WEB: GHSA-m93w-4fxv-r35v

Cross references:
No existing reports found with this module or alias.
See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/pocketbase/pocketbase
      vulnerable_at: 0.22.14
      packages:
        - package: pocketbase
summary: CVE-2024-38351 in github.com/pocketbase/pocketbase
cves:
    - CVE-2024-38351
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-38351
    - web: https://github.com/pocketbase/pocketbase/discussions/4355
    - web: https://github.com/pocketbase/pocketbase/security/advisories/GHSA-m93w-4fxv-r35v
source:
    id: CVE-2024-38351
    created: 2024-06-18T19:01:17.096007076Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/595957 mentions this issue: data/reports: add 5 reports