Vulnerability Report: GO-2021-0258

CVE-2021-41230, GHSA-j6wp-3859-vxfg
Affects: github.com/pomerium/pomerium
Published: Jan 14, 2022
Modified: Jun 12, 2023

Pomerium is an open source identity-aware access proxy. Changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using allowed_idp_claims as part of policy. If using allowed_idp_claims and a user's claims are changed, Pomerium can make incorrect authorization decisions. For users unable to upgrade clear data on databroker service by clearing redis or restarting the in-memory databroker to force claims to be updated.

Affected Packages

Path

Versions

Symbols
github.com/pomerium/pomerium/internal/identity/manager

before v0.15.6
- Manager.Run
- Manager.RunLeased

Aliases

CVE-2021-41230
GHSA-j6wp-3859-vxfg

References

https://github.com/pomerium/pomerium/pull/2724
https://github.com/pomerium/pomerium/commit/f20542c4bf2cc691e4c324f7ec79e02e46d95511
https://vuln.go.dev/ID/GO-2021-0258.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL