CVE-2024-27918

Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.6.1 Coder versions prior to 2.7.3 Coder versions prior to 2.8.4

Description A vulnerability in Coder's OIDC authentication could allow an attacker to bypass the CODER OIDC EMAIL DOMAIN verification and create an account with an email not in the allowlist. Deployments are only affected if the OIDC provider allows users to create accounts on the provider. During OIDC registration, the user's email was improperly validated against the allowed CODER OIDC EMAIL DOMAINs. This could allow a user with a domain that only partially matched an allowed domain to successfully login or register. An attacker could register a domain name that exploited this vulnerability and register on a Coder instance with a public OIDC provider. Coder instances with OIDC enabled and protected by the CODER OIDC EMAIL DOMAIN configuration are affected. Public OIDC providers are impacted, while GitHub authentication and external authentication are not impacted.

Recommendations For versions prior to 2.6.1, upgrade to version 2.6.1 or later. For versions prior to 2.7.3, upgrade to version 2.7.3 or later. For versions prior to 2.8.4, upgrade to version 2.8.4 or later. As a temporary workaround, consider restricting access to the OIDC authentication feature until a patch is available. Restrict access to the CODER OIDC EMAIL DOMAIN configuration to minimize the risk of exploitation. Avoid using public OIDC providers without proper configuration and validation of the CODER OIDC EMAIL DOMAIN setting.