Description
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint relied on route middleware that checked only `ActionRead` on the workspace and, unlike the sibling delete endpoint, performed no `ActionUpdate` check before triggering the destructive rebuild. Exploitation requires an existing low-privilege role with access to the target workspace. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds an explicit `ActionUpdate` authorization check before the agent is dialed like the delete endpoint. No known workarounds are available.
Problem types
CWE-862: Missing Authorization
Product status
>= 2.33.0, < 2.33.8
>= 2.30.0, < 2.32.7
< 2.29.17
References
github.com/.../coder/security/advisories/GHSA-jqj2-x4c5-jfxm
github.com/coder/coder/pull/25812
github.com/coder/coder/releases/tag/v2.29.17
github.com/coder/coder/releases/tag/v2.32.7
github.com/coder/coder/releases/tag/v2.33.8
github.com/coder/coder/releases/tag/v2.34.2