All versions prior to these patches are affected by the vulnerability. It is recommended that customers upgrade their deployments as soon as possible if they are utilizing OIDC authentication with the CODER_OIDC_EMAIL_DOMAIN setting.
https://github.com/coder/coder/security/advisories/GHSA-7cc2-r658-7xpf https://github.com/coder/coder/commit/4439a920e454a82565e445e4376c669e3b89591c https://nvd.nist.gov/vuln/detail/CVE-2024-27918
Go| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/coder/coder/v2 | go | >= 2.8.0, < 2.8.4 | 2.8.4 |
| github.com/coder/coder/v2 | go | >= 2.7.0, < 2.7.3 | 2.7.3 |
| github.com/coder/coder/v2 | go | < 2.6.1 | 2.6.1 |
| github.com/coder/coder | go | <= 0.27.3 |
Miggo AIRoot Cause AnalysisThe vulnerability description and the provided commit patches clearly point to an issue in the OIDC email domain validation. The commits consistently show changes in the userOIDC function within coderd/userauth.go. The core of the vulnerability was the use of strings.HasSuffix for domain comparison, which allowed partial matches. The patch replaced this with a stricter comparison using strings.EqualFold on the exact domain part of the email. Therefore, the userOIDC function was the direct location of the vulnerable code that processed the potentially malicious input (the email from the OIDC provider) and made the incorrect authorization decision.
The function name github.com/coder/coder/coderd.(*API).userOIDC is derived by combining the package path github.com/coder/coder/coderd, the struct API it's a method of, and the function name userOIDC itself. This is the standard way Go function signatures are represented and how they would appear in a profiler or stack trace. The confidence is high because the patch directly modifies this function to fix the described vulnerability logic.
KEV Misses 88% of Exploited CVEs- Get the report
