CVE-2021-41230

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-41230

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41230.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-41230

Aliases

Withdrawn

2024-05-08T06:51:36.250606Z

Published

2021-11-05T23:15:08Z

Modified

2023-11-28T22:52:58.321337Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Pomerium is an open source identity-aware access proxy. In affected versions changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using allowed_idp_claims as part of policy. If using allowed_idp_claims and a user's claims are changed, Pomerium can make incorrect authorization decisions. This issue has been resolved in v0.15.6. For users unable to upgrade clear data on databroker service by clearing redis or restarting the in-memory databroker to force claims to be updated.

References

Affected packages

Git / github.com/pomerium/pomerium

Affected ranges

Type: GIT
Repo: https://github.com/pomerium/pomerium
Events: Introduced

0071b4e7a5ebcbc1d9b908922bc5c2678fa46f8f

Fixed

4cb3281af7b5e030c89cefcca51b7f4ce409ee25

Affected versions

v0.*

v0.14.0

v0.15.0