blob: e61325578035e0a49e23e14536ab543d17b65e2f [file] [log] [blame]
id: GO-2021-0258
modules:
- module: github.com/pomerium/pomerium
versions:
- fixed: 0.15.6
vulnerable_at: 0.15.5
packages:
- package: github.com/pomerium/pomerium/internal/identity/manager
symbols:
- Manager.onUpdateRecords
derived_symbols:
- Manager.Run
- Manager.RunLeased
summary: Incorrect authorization in github.com/pomerium/pomerium
description: |-
Pomerium is an open source identity-aware access proxy. Changes to the OIDC
claims of a user after initial login are not reflected in policy evaluation when
using allowed_idp_claims as part of policy. If using allowed_idp_claims and a
user's claims are changed, Pomerium can make incorrect authorization decisions.
For users unable to upgrade clear data on databroker service by clearing redis
or restarting the in-memory databroker to force claims to be updated.
published: 2022-01-14T17:30:31Z
cves:
- CVE-2021-41230
ghsas:
- GHSA-j6wp-3859-vxfg
references:
- fix: https://github.com/pomerium/pomerium/pull/2724
- fix: https://github.com/pomerium/pomerium/commit/f20542c4bf2cc691e4c324f7ec79e02e46d95511
review_status: REVIEWED