Moderate severityNVD Advisory· Published Nov 5, 2021· Updated Aug 4, 2024
OIDC claims not updated from Identity Provider in Pomerium
CVE-2021-41230
Description
Pomerium is an open source identity-aware access proxy. In affected versions changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using allowed_idp_claims as part of policy. If using allowed_idp_claims and a user's claims are changed, Pomerium can make incorrect authorization decisions. This issue has been resolved in v0.15.6. For users unable to upgrade clear data on databroker service by clearing redis or restarting the in-memory databroker to force claims to be updated.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/pomerium/pomeriumGo | >= 0.14.0, < 0.15.6 | 0.15.6 |
Affected products
1Patches
1f20542c4bf2cidentity: fix user refresh
1 file changed · +1 −0
internal/identity/manager/manager.go+1 −0 modified@@ -539,6 +539,7 @@ func (mgr *Manager) onUpdateRecords(ctx context.Context, msg updateRecordsMessag log.Warn(ctx).Msgf("error unmarshaling user: %s", err) continue } + mgr.onUpdateUser(ctx, record, &pbUser) } } }
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
6- github.com/advisories/GHSA-j6wp-3859-vxfgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41230ghsaADVISORY
- github.com/pomerium/pomerium/commit/f20542c4bf2cc691e4c324f7ec79e02e46d95511ghsaWEB
- github.com/pomerium/pomerium/pull/2724ghsax_refsource_MISCWEB
- github.com/pomerium/pomerium/security/advisories/GHSA-j6wp-3859-vxfgghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2021-0258ghsaWEB
News mentions
0No linked articles in our index yet.