blob: ee59322edcadbfccf72029c4cff2f7b61a03768f [file] [log] [blame]
module: github.com/pomerium/pomerium
versions:
- fixed: v0.15.6
description: |
Pomerium is an open source identity-aware access proxy. Changes to the OIDC
claims of a user after initial login are not reflected in policy evaluation
when using allowed_idp_claims as part of policy. If using allowed_idp_claims
and a user's claims are changed, Pomerium can make incorrect authorization
decisions.
For users unable to upgrade clear data on databroker service by clearing
redis or restarting the in-memory databroker to force claims to be updated.
cves:
- CVE-2021-41230
symbols:
- Manager.onUpdateRecords
links:
pr: https://github.com/pomerium/pomerium/pull/2724
commit: https://github.com/pomerium/pomerium/commit/f20542c4bf2cc691e4c324f7ec79e02e46d95511
context:
- https://github.com/pomerium/pomerium/security/advisories/GHSA-j6wp-3859-vxfg