blob: 12af083abdd5c09d90ce2396601baf5c0a6f09f7 [file] [log] [blame]
packages:
- module: github.com/pomerium/pomerium
symbols:
- Manager.onUpdateRecords
versions:
- fixed: 0.15.6
description: |
Pomerium is an open source identity-aware access proxy. Changes to the OIDC
claims of a user after initial login are not reflected in policy evaluation
when using allowed_idp_claims as part of policy. If using allowed_idp_claims
and a user's claims are changed, Pomerium can make incorrect authorization
decisions.
For users unable to upgrade clear data on databroker service by clearing
redis or restarting the in-memory databroker to force claims to be updated.
published: 2022-01-14T17:30:31Z
cves:
- CVE-2021-41230
ghsas:
- GHSA-j6wp-3859-vxfg
links:
pr: https://github.com/pomerium/pomerium/pull/2724
commit: https://github.com/pomerium/pomerium/commit/f20542c4bf2cc691e4c324f7ec79e02e46d95511
context:
- https://github.com/pomerium/pomerium/security/advisories/GHSA-j6wp-3859-vxfg