| id: GO-2021-0258 |
| modules: |
| - module: github.com/pomerium/pomerium |
| versions: |
| - fixed: 0.15.6 |
| vulnerable_at: 0.15.5 |
| packages: |
| - package: github.com/pomerium/pomerium/internal/identity/manager |
| symbols: |
| - Manager.onUpdateRecords |
| derived_symbols: |
| - Manager.Run |
| - Manager.RunLeased |
| summary: Incorrect authorization in github.com/pomerium/pomerium |
| description: |- |
| Pomerium is an open source identity-aware access proxy. Changes to the OIDC |
| claims of a user after initial login are not reflected in policy evaluation when |
| using allowed_idp_claims as part of policy. If using allowed_idp_claims and a |
| user's claims are changed, Pomerium can make incorrect authorization decisions. |
| |
| For users unable to upgrade clear data on databroker service by clearing redis |
| or restarting the in-memory databroker to force claims to be updated. |
| published: 2022-01-14T17:30:31Z |
| cves: |
| - CVE-2021-41230 |
| ghsas: |
| - GHSA-j6wp-3859-vxfg |
| references: |
| - fix: https://github.com/pomerium/pomerium/pull/2724 |
| - fix: https://github.com/pomerium/pomerium/commit/f20542c4bf2cc691e4c324f7ec79e02e46d95511 |
| review_status: REVIEWED |