Описание
pomerium_signature is not verified in middleware in github.com/pomerium/pomerium
Impact
Some API endpoints under /.pomerium/ do not verify parameters with pomerium_signature. This could allow modifying parameters intended to be trusted to Pomerium.
The issue mainly affects routes responsible for sign in/out, but does not introduce an authentication bypass.
Specific Go Packages Affected
github.com/pomerium/pomerium/authenticate
Patches
Patched in v0.13.4
For more information
If you have any questions or comments about this advisory
- Open an issue in pomerium
- Email us at security@pomerium.com
Пакеты
Наименование
github.com/pomerium/pomerium
go
Затронутые версииВерсия исправления
>= 0.10.0, < 0.13.4
0.13.4
Связанные уязвимости
CVSS3: 6.1
nvd
почти 5 лет назад
Pomerium from version 0.10.0-0.13.3 has an Open Redirect in the user sign-in/out process