CVE-2021-41230
5.3
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Pomerium is an open source identity-aware access proxy. In affected versions changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using allowed_idp_claims as part of policy. If using allowed_idp_claims and a user's claims are changed, Pomerium can make incorrect authorization decisions. This issue has been resolved in v0.15.6. For users unable to upgrade clear data on databroker service by clearing redis or restarting the in-memory databroker to force claims to be updated.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| pomerium | pomerium | >= 0.14.0, < 0.15.6 | affected |
Weaknesses
- CWE-863: CWE-863: Incorrect Authorization
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/pomerium/pomerium/security/advisories/GHSA-j6wp-3859-vxfg
- https://github.com/pomerium/pomerium/pull/2724
References
- https://github.com/pomerium/pomerium/security/advisories/GHSA-j6wp-3859-vxfg
- https://github.com/pomerium/pomerium/pull/2724
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.