reports/GO-2021-0258.yaml - vulndb - Git at Google

 module: github.com/pomerium/pomerium
 versions:
   - fixed: v0.15.6
 description: |
     Pomerium is an open source identity-aware access proxy. Changes to the OIDC
     claims of a user after initial login are not reflected in policy evaluation
     when using allowed_idp_claims as part of policy. If using allowed_idp_claims
     and a user's claims are changed, Pomerium can make incorrect authorization
     decisions.

     For users unable to upgrade clear data on databroker service by clearing
     redis or restarting the in-memory databroker to force claims to be updated.
 cves:
   - CVE-2021-41230
 symbols:
   - Manager.onUpdateRecords
 links:
     pr: https://github.com/pomerium/pomerium/pull/2724
     commit: https://github.com/pomerium/pomerium/commit/f20542c4bf2cc691e4c324f7ec79e02e46d95511
     context:
       - https://github.com/pomerium/pomerium/security/advisories/GHSA-j6wp-3859-vxfg
	module: github.com/pomerium/pomerium
	versions:
	- fixed: v0.15.6
	description: \|
	Pomerium is an open source identity-aware access proxy. Changes to the OIDC
	claims of a user after initial login are not reflected in policy evaluation
	when using allowed_idp_claims as part of policy. If using allowed_idp_claims
	and a user's claims are changed, Pomerium can make incorrect authorization
	decisions.

	For users unable to upgrade clear data on databroker service by clearing
	redis or restarting the in-memory databroker to force claims to be updated.
	cves:
	- CVE-2021-41230
	symbols:
	- Manager.onUpdateRecords
	links:
	pr: https://github.com/pomerium/pomerium/pull/2724
	commit: https://github.com/pomerium/pomerium/commit/f20542c4bf2cc691e4c324f7ec79e02e46d95511
	context:
	- https://github.com/pomerium/pomerium/security/advisories/GHSA-j6wp-3859-vxfg