SCA: security update for github.com/pocketbase/pocketbase (GHSA-m93w-4fxv-r35v)

medium Tenable Self-Hosted Container Security Plugin ID 416860

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Pocketbase is an open source web backend written in go. In affected versions a malicious user may be able
to compromise other user accounts. In order to be exploited users must have both OAuth2 and Password auth
methods enabled. A possible attack scenario could be: 1. a malicious actor register with the targeted
user's email (it is unverified), 2. at some later point in time the targeted user stumble on your app and
decides to sign-up with OAuth2 (_this step could be also initiated by the attacker by sending an invite
email to the targeted user_), 3. on successful OAuth2 auth we search for an existing PocketBase user
matching with the OAuth2 user's email and associate them, 4. because we haven't changed the password of
the existing PocketBase user during the linking, the malicious actor has access to the targeted user
account and will be able to login with the initially created email/password. To prevent this for happening
we now reset the password for this specific case if the previously created user wasn't verified (an
exception to this is if the linking is explicit/manual, aka. when you send `Authorization:TOKEN` with the
OAuth2 auth call). Additionally to warn existing users we now send an email alert in case the user has
logged in with password but has at least one OAuth2 account linked. The flow will be further improved with
ongoing refactoring and we will start sending emails for "unrecognized device" logins (OTP and MFA is
already implemented and will be available with the next v0.23.0 release in the near future). For the time
being users are advised to update to version 0.22.14. There are no known workarounds for this
vulnerability. (CVE-2024-38351)

See Also

https://github.com/advisories/GHSA-m93w-4fxv-r35v

Plugin Details

Severity: Medium

ID: 416860

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.1

Percentile: 7.46

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2024-38351

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/18/2024

Vulnerability Publication Date: 6/18/2024

Reference Information

CVE: CVE-2024-38351

cwe: CWE-287