reports: add GO-2021-0258 for CVE-2021-41230
Fixes golang/vulndb#258
Change-Id: I0781ce61af3375a40a4f13c6111e7a381097c8b8
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/377621
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/reports/GO-2021-0258.yaml b/reports/GO-2021-0258.yaml
new file mode 100644
index 0000000..7cb9aae
--- /dev/null
+++ b/reports/GO-2021-0258.yaml
@@ -0,0 +1,21 @@
+module: github.com/pomerium/pomerium
+versions:
+- fixed: v0.15.6
+description: |
+ Pomerium is an open source identity-aware access proxy. Changes to the OIDC
+ claims of a user after initial login are not reflected in policy evaluation
+ when using allowed_idp_claims as part of policy. If using allowed_idp_claims
+ and a user's claims are changed, Pomerium can make incorrect authorization
+ decisions.
+
+ For users unable to upgrade clear data on databroker service by clearing
+ redis or restarting the in-memory databroker to force claims to be updated.
+cves:
+- CVE-2021-41230
+symbols:
+- Manager.onUpdateRecords
+links:
+ pr: https://github.com/pomerium/pomerium/pull/2724
+ commit: https://github.com/pomerium/pomerium/commit/f20542c4bf2cc691e4c324f7ec79e02e46d95511
+ context:
+ - https://github.com/pomerium/pomerium/security/advisories/GHSA-j6wp-3859-vxfg