Description
Pomerium is an open source identity-aware access proxy. In affected versions changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using `allowed_idp_claims` as part of policy. If using `allowed_idp_claims` and a user's claims are changed, Pomerium can make incorrect authorization decisions. This issue has been resolved in v0.15.6. For users unable to upgrade clear data on `databroker` service by clearing redis or restarting the in-memory databroker to force claims to be updated.
Published: 2021-11-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2021-2361 Pomerium is an open source identity-aware access proxy. In affected versions changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using `allowed_idp_claims` as part of policy. If using `allowed_idp_claims` and a user's claims are changed, Pomerium can make incorrect authorization decisions. This issue has been resolved in v0.15.6. For users unable to upgrade clear data on `databroker` service by clearing redis or restarting the in-memory databroker to force claims to be updated.
Github GHSA Github GHSA GHSA-j6wp-3859-vxfg OIDC claims not updated from Identity Provider in Pomerium
History

No history.

Subscriptions

Pomerium Pomerium
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2024-08-04T03:08:31.639Z

Reserved: 2021-09-15T00:00:00.000Z

Link: CVE-2021-41230

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-11-05T23:15:08.727

Modified: 2024-11-21T06:25:50.297

Link: CVE-2021-41230

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses