CVE-2021-41230

Опубликовано: 05 нояб. 2021

Источник: nvd

CVSS3: 5.3

CVSS3: 8.8

CVSS2: 6.5

EPSS Низкий

Описание

Pomerium is an open source identity-aware access proxy. In affected versions changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using allowed_idp_claims as part of policy. If using allowed_idp_claims and a user's claims are changed, Pomerium can make incorrect authorization decisions. This issue has been resolved in v0.15.6. For users unable to upgrade clear data on databroker service by clearing redis or restarting the in-memory databroker to force claims to be updated.

Ссылки

https://github.com/pomerium/pomerium/pull/2724
Patch
Third Party Advisory
https://github.com/pomerium/pomerium/security/advisories/GHSA-j6wp-3859-vxfg
Third Party Advisory
https://github.com/pomerium/pomerium/pull/2724
Patch
Third Party Advisory
https://github.com/pomerium/pomerium/security/advisories/GHSA-j6wp-3859-vxfg
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:pomerium:pomerium:*:*:*:*:*:*:*:*

Версия от 0.14.0 (включая) до 0.15.6 (исключая)

EPSS

Процентиль: 47%

0.00238

Низкий

5.3 Medium

CVSS3

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-863

Связанные уязвимости

GHSA-j6wp-3859-vxfg

CVSS3: 5.3

github

около 4 лет назад

OIDC claims not updated from Identity Provider in Pomerium

EPSS

Процентиль: 47%

0.00238

Низкий

5.3 Medium

CVSS3

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-863