commit 70530846ec942a48d90974c738ebbab4870be40b
author Julie Qiu <julie@golang.org> Mon Jan 10 23:20:25 2022 -0500
committer Julie Qiu <julie@golang.org> Fri Jan 14 17:30:31 2022 +0000
tree 33b83c57d205e13be889e46e31efd3f24c0aa761
parent c675b4902024fe6f87857f944665232f0449fa65

reports: add GO-2021-0258 for CVE-2021-41230

Fixes golang/vulndb#258

Change-Id: I0781ce61af3375a40a4f13c6111e7a381097c8b8
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/377621
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>

reports/GO-2021-0258.yaml

diff --git a/reports/GO-2021-0258.yaml b/reports/GO-2021-0258.yaml
new file mode 100644
index 0000000..7cb9aae
--- /dev/null
+++ b/reports/GO-2021-0258.yaml
@@ -0,0 +1,21 @@
+module: github.com/pomerium/pomerium
+versions:
+- fixed: v0.15.6
+description: |
+  Pomerium is an open source identity-aware access proxy. Changes to the OIDC
+  claims of a user after initial login are not reflected in policy evaluation
+  when using allowed_idp_claims as part of policy. If using allowed_idp_claims
+  and a user's claims are changed, Pomerium can make incorrect authorization
+  decisions.
+
+  For users unable to upgrade clear data on databroker service by clearing
+  redis or restarting the in-memory databroker to force claims to be updated.
+cves:
+- CVE-2021-41230
+symbols:
+- Manager.onUpdateRecords
+links:
+  pr: https://github.com/pomerium/pomerium/pull/2724
+  commit: https://github.com/pomerium/pomerium/commit/f20542c4bf2cc691e4c324f7ec79e02e46d95511
+  context:
+  - https://github.com/pomerium/pomerium/security/advisories/GHSA-j6wp-3859-vxfg