ghsa-fv82-r8qv-ch4v
Vulnerability from github
Published
2021-05-21 16:24
Modified
2023-10-02 12:10
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
pomerium_signature is not verified in middleware in github.com/pomerium/pomerium
Details

Impact

Some API endpoints under /.pomerium/ do not verify parameters with pomerium_signature. This could allow modifying parameters intended to be trusted to Pomerium.

The issue mainly affects routes responsible for sign in/out, but does not introduce an authentication bypass.

Specific Go Packages Affected

github.com/pomerium/pomerium/authenticate

Patches

Patched in v0.13.4

For more information

If you have any questions or comments about this advisory * Open an issue in pomerium * Email us at security@pomerium.com

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/pomerium/pomerium"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.10.0"
            },
            {
              "fixed": "0.13.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29652"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-20T20:47:18Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\nSome API endpoints under /.pomerium/ do not verify parameters with pomerium_signature. This could allow modifying parameters intended to be trusted to Pomerium. \n\nThe issue mainly affects routes responsible for sign in/out, but does not introduce an authentication bypass.\n\n### Specific Go Packages Affected\ngithub.com/pomerium/pomerium/authenticate\n\n### Patches\nPatched in v0.13.4\n\n### For more information\nIf you have any questions or comments about this advisory\n* Open an issue in [pomerium](http://github.com/pomerium/pomerium)\n* Email us at [security@pomerium.com](mailto:security@pomerium.com)",
  "id": "GHSA-fv82-r8qv-ch4v",
  "modified": "2023-10-02T12:10:36Z",
  "published": "2021-05-21T16:24:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-fv82-r8qv-ch4v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29652"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pomerium/pomerium/pull/2048"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pomerium_signature is not verified in middleware in github.com/pomerium/pomerium"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.