Description
Pomerium is an open source identity-aware access proxy. In affected versions changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using `allowed_idp_claims` as part of policy. If using `allowed_idp_claims` and a user's claims are changed, Pomerium can make incorrect authorization decisions. This issue has been resolved in v0.15.6. For users unable to upgrade clear data on `databroker` service by clearing redis or restarting the in-memory databroker to force claims to be updated.
Analysis
No analysis available yet.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| pomerium | pomerium | affected |
|
No data.
No data available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
 EUVD |
EUVD-2021-2361 | Pomerium is an open source identity-aware access proxy. In affected versions changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using `allowed_idp_claims` as part of policy. If using `allowed_idp_claims` and a user's claims are changed, Pomerium can make incorrect authorization decisions. This issue has been resolved in v0.15.6. For users unable to upgrade clear data on `databroker` service by clearing redis or restarting the in-memory databroker to force claims to be updated. |
 Github GHSA |
GHSA-j6wp-3859-vxfg | OIDC claims not updated from Identity Provider in Pomerium |
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2024-08-04T03:08:31.639Z
Reserved: 2021-09-15T00:00:00.000Z
Link: CVE-2021-41230
Vulnrichment
No data.
NVD
Status : Modified
Published: 2021-11-05T23:15:08.727
Modified: 2024-11-21T06:25:50.297
Link: CVE-2021-41230
Redhat
No data.
OpenCVE Enrichment
No data.
Weaknesses