Google Git
Sign in
go / vulndb / e79611000c758a19861676b6eef439161222282a / . / internal / genericosv / testdata / osv / GHSA-fv82-r8qv-ch4v.json
blob: 044201cc9d4cc138fbbc702a3695f3a19a6a8685 [file] [log] [blame]
{
"schema_version": "1.4.0",
"id": "GHSA-fv82-r8qv-ch4v",
"modified": "2021-05-20T20:47:18Z",
"published": "2021-05-21T16:24:22Z",
"aliases": [
"CVE-2021-29652"
],
"summary": "pomerium_signature is not verified in middleware in github.com/pomerium/pomerium",
"details": "### Impact\nSome API endpoints under /.pomerium/ do not verify parameters with pomerium_signature. This could allow modifying parameters intended to be trusted to Pomerium. \n\nThe issue mainly affects routes responsible for sign in/out, but does not introduce an authentication bypass.\n\n### Patches\nPatched in v0.13.4\n\n### For more information\nIf you have any questions or comments about this advisory\n* Open an issue in [pomerium](http://github.com/pomerium/pomerium)\n* Email us at [security@pomerium.com](mailto:security@pomerium.com)",
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/pomerium/pomerium"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0.10.0"
},
{
"fixed": "0.13.4"
}
]
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/pomerium/pomerium/authenticate"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0.10.0"
},
{
"fixed": "0.13.4"
}
]
}
]
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
}
],
"references": [
{
"type": "WEB",
"url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-fv82-r8qv-ch4v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29652"
},
{
"type": "WEB",
"url": "https://github.com/pomerium/pomerium/pull/2048"
}
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-20T20:47:18Z",
"nvd_published_at": null,
"severity": "HIGH"
}
}