| packages: |
| - module: github.com/pomerium/pomerium |
| symbols: |
| - Manager.onUpdateRecords |
| versions: |
| - fixed: 0.15.6 |
| description: | |
| Pomerium is an open source identity-aware access proxy. Changes to the OIDC |
| claims of a user after initial login are not reflected in policy evaluation |
| when using allowed_idp_claims as part of policy. If using allowed_idp_claims |
| and a user's claims are changed, Pomerium can make incorrect authorization |
| decisions. |
| |
| For users unable to upgrade clear data on databroker service by clearing |
| redis or restarting the in-memory databroker to force claims to be updated. |
| published: 2022-01-14T17:30:31Z |
| cves: |
| - CVE-2021-41230 |
| ghsas: |
| - GHSA-j6wp-3859-vxfg |
| links: |
| pr: https://github.com/pomerium/pomerium/pull/2724 |
| commit: https://github.com/pomerium/pomerium/commit/f20542c4bf2cc691e4c324f7ec79e02e46d95511 |
| context: |
| - https://github.com/pomerium/pomerium/security/advisories/GHSA-j6wp-3859-vxfg |