ghsa-j6wp-3859-vxfg
Vulnerability from github
Published
2021-11-10 16:52
Modified
2021-11-08 21:37
Severity ?
Summary
OIDC claims not updated from Identity Provider in Pomerium
Details
Impact
Changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using allowed_idp_claims
as part of policy. If using allowed_idp_claims
and a user's claims are changed, Pomerium can make incorrect authorization decisions.
Patches
v0.15.6
Workarounds
- Clear data on
databroker
service by clearing redis or restarting the in-memory databroker to force claims to be updated
References
https://github.com/pomerium/pomerium/pull/2724
For more information
If you have any questions or comments about this advisory: * Open an issue in Pomerium * Email us at security@pomerium.com
{ "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/pomerium/pomerium" }, "ranges": [ { "events": [ { "introduced": "0.14.0" }, { "fixed": "0.15.6" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2021-41230" ], "database_specific": { "cwe_ids": [ "CWE-863" ], "github_reviewed": true, "github_reviewed_at": "2021-11-08T21:37:07Z", "nvd_published_at": "2021-11-05T23:15:00Z", "severity": "MODERATE" }, "details": "### Impact\nChanges to the OIDC claims of a user after initial login are not reflected in policy evaluation when using [`allowed_idp_claims`](https://www.pomerium.com/reference/#allowed-idp-claims) as part of policy. If using `allowed_idp_claims` and a user\u0027s claims are changed, Pomerium can make incorrect authorization decisions.\n\n### Patches\nv0.15.6\n\n### Workarounds\n- Clear data on `databroker` service by clearing redis or restarting the in-memory databroker to force claims to be updated\n\n### References\nhttps://github.com/pomerium/pomerium/pull/2724\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Pomerium](https://github.com/pomerium/pomerium)\n* Email us at [security@pomerium.com](mailto:security@pomerium.com)\n", "id": "GHSA-j6wp-3859-vxfg", "modified": "2021-11-08T21:37:07Z", "published": "2021-11-10T16:52:24Z", "references": [ { "type": "WEB", "url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-j6wp-3859-vxfg" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41230" }, { "type": "WEB", "url": "https://github.com/pomerium/pomerium/pull/2724" }, { "type": "WEB", "url": "https://github.com/pomerium/pomerium/commit/f20542c4bf2cc691e4c324f7ec79e02e46d95511" }, { "type": "PACKAGE", "url": "https://github.com/pomerium/pomerium" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2021-0258" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "type": "CVSS_V3" } ], "summary": "OIDC claims not updated from Identity Provider in Pomerium" }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.