GHSA-pvrc-wvj2-f59p

Source

https://github.com/advisories/GHSA-pvrc-wvj2-f59p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-pvrc-wvj2-f59p/GHSA-pvrc-wvj2-f59p.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-pvrc-wvj2-f59p

Aliases

Published

2023-05-26T22:00:39Z

Modified

2024-08-20T20:59:05.535990Z

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS Calculator

Summary

Pomerium vulnerable to Incorrect Authorization with specially crafted requests

Details

Impact

With specially crafted requests, incorrect authorization decisions may be made by Pomerium.

Patches

We are releasing patch fixes to address this vulnerability going back to v0.17.X. Please upgrade to:

v0.22.2
v0.21.4
v0.20.1
v0.19.2
v0.18.1
v0.17.4

For more information

If you have any questions or comments about this advisory:

Open an issue in pomerium/pomerium
Email us at security@pomerium.com

Database specific

{
    "severity": "CRITICAL",
    "github_reviewed": true,
    "nvd_published_at": "2023-05-30T06:16:37Z",
    "github_reviewed_at": "2023-05-26T22:00:39Z",
    "cwe_ids": [
        "CWE-285"
    ]
}

References

Affected packages

Go

github.com/pomerium/pomerium

Package

Name: github.com/pomerium/pomerium; View open source insights on deps.dev
Purl: pkg:golang/github.com/pomerium/pomerium

Affected ranges

Type: SEMVER
Events: Introduced

0.22.0

Fixed

0.22.2

github.com/pomerium/pomerium

Package

Name: github.com/pomerium/pomerium; View open source insights on deps.dev
Purl: pkg:golang/github.com/pomerium/pomerium

Affected ranges

Type: SEMVER
Events: Introduced

0.21.0

Fixed

0.21.4

github.com/pomerium/pomerium

Package

Name: github.com/pomerium/pomerium; View open source insights on deps.dev
Purl: pkg:golang/github.com/pomerium/pomerium

Affected ranges

Type: SEMVER
Events: Introduced

0.20.0

Fixed

0.20.1

github.com/pomerium/pomerium

Package

Name: github.com/pomerium/pomerium; View open source insights on deps.dev
Purl: pkg:golang/github.com/pomerium/pomerium

Affected ranges

Type: SEMVER
Events: Introduced

0.19.0

Fixed

0.19.2

github.com/pomerium/pomerium

Package

Name: github.com/pomerium/pomerium; View open source insights on deps.dev
Purl: pkg:golang/github.com/pomerium/pomerium

Affected ranges

Type: SEMVER
Events: Introduced

0.18.0

Fixed

0.18.1

github.com/pomerium/pomerium

Package

Name: github.com/pomerium/pomerium; View open source insights on deps.dev
Purl: pkg:golang/github.com/pomerium/pomerium

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.17.4