blob: a6909bf7e5127de1136040e67656dd4db57d9c95 [file] [log] [blame]
id: GO-TEST-ID
modules:
- module: github.com/pomerium/pomerium
versions:
- introduced: 0.10.0
fixed: 0.13.4
vulnerable_at: 0.13.3
- module: github.com/pomerium/pomerium
versions:
- introduced: 0.10.0
fixed: 0.13.4
vulnerable_at: 0.13.3
packages:
- package: github.com/pomerium/pomerium/authenticate
summary: pomerium_signature is not verified in middleware in github.com/pomerium/pomerium
description: |-
### Impact Some API endpoints under /.pomerium/ do not verify parameters with
pomerium_signature. This could allow modifying parameters intended to be trusted
to Pomerium.
The issue mainly affects routes responsible for sign in/out, but does not
introduce an authentication bypass.
### Patches Patched in v0.13.4
### For more information If you have any questions or comments about this
advisory
* Open an issue in [pomerium](http://github.com/pomerium/pomerium)
* Email us at [security@pomerium.com](mailto:security@pomerium.com)
cves:
- CVE-2021-29652
ghsas:
- GHSA-fv82-r8qv-ch4v
references:
- advisory: https://github.com/pomerium/pomerium/security/advisories/GHSA-fv82-r8qv-ch4v
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-29652
- fix: https://github.com/pomerium/pomerium/pull/2048
notes:
- lint: 'description: possible markdown formatting (found ### )'
- lint: 'description: possible markdown formatting (found [pomerium](http://github.com/pomerium/pomerium))'
- lint: 'references: too many advisories (found 2, want <=1)'
- lint: 'summary: must begin with a capital letter'