CVE-2023-33189 - OpenCVE

Pomerium is an identity and context-aware access proxy. With specially crafted requests, incorrect authorization decisions may be made by Pomerium. This issue has been patched in versions 0.17.4, 0.18.1, 0.19.2, 0.20.1, 0.21.4 and 0.22.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Pomerium	Pomerium

Configuration 1 [-]

OR	cpe:2.3:a:pomerium:pomerium::::::::
	cpe:2.3:a:pomerium:pomerium::::::::
	cpe:2.3:a:pomerium:pomerium::::::::
	cpe:2.3:a:pomerium:pomerium::::::::
	cpe:2.3:a:pomerium:pomerium:0.18.0:::::::*
	cpe:2.3:a:pomerium:pomerium:0.20.0:::::::*

No data.

References

Link	Providers
https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb
https://github.com/pomerium/pomerium/releases/tag/v0.17.4
https://github.com/pomerium/pomerium/releases/tag/v0.18.1
https://github.com/pomerium/pomerium/releases/tag/v0.19.2
https://github.com/pomerium/pomerium/releases/tag/v0.20.1
https://github.com/pomerium/pomerium/releases/tag/v0.21.4
https://github.com/pomerium/pomerium/releases/tag/v0.22.2
https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-05-30T05:39:45.132Z

Updated: 2024-08-02T15:39:35.821Z

Reserved: 2023-05-17T22:25:50.698Z

Link: CVE-2023-33189

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-05-30T06:16:37.937

Modified: 2023-06-05T17:04:41.190

Link: CVE-2023-33189

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-33189", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-05-17T22:25:50.698Z", "datePublished": "2023-05-30T05:39:45.132Z", "dateUpdated": "2024-08-02T15:39:35.821Z"}, "containers": {"cna": {"title": "Incorrect Authorization with specially crafted requests", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p"}, {"name": "https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb", "tags": ["x_refsource_MISC"], "url": "https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.17.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.17.4"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.18.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.18.1"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.19.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.19.2"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.20.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.20.1"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.21.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.21.4"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.22.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.22.2"}], "affected": [{"vendor": "pomerium", "product": "pomerium", "versions": [{"version": ">= 0.22.0, < 0.22.2", "status": "affected"}, {"version": ">= 0.21.0, < 0.21.4", "status": "affected"}, {"version": ">= 0.20.0, < 0.20.1", "status": "affected"}, {"version": ">= 0.19.0, < 0.19.2", "status": "affected"}, {"version": ">= 0.18.0, < 0.18.1", "status": "affected"}, {"version": "< 0.17.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-05-30T05:39:45.132Z"}, "descriptions": [{"lang": "en", "value": "Pomerium is an identity and context-aware access proxy. With specially crafted requests, incorrect authorization decisions may be made by Pomerium. This issue has been patched in versions 0.17.4, 0.18.1, 0.19.2, 0.20.1, 0.21.4 and 0.22.2."}], "source": {"advisory": "GHSA-pvrc-wvj2-f59p", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:39:35.821Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p"}, {"name": "https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.17.4", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.17.4"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.18.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.18.1"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.19.2", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.19.2"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.20.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.20.1"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.21.4", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.21.4"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.22.2", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.22.2"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pomerium:pomerium:*:*:*:*:*:*:*:*", "matchCriteriaId": "BB4624AE-F046-4907-A7E2-30415D3C243A", "versionEndExcluding": "0.17.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:pomerium:pomerium:*:*:*:*:*:*:*:*", "matchCriteriaId": "B8B01C39-CC4A-4A3C-850E-0C6DE43B8C45", "versionEndExcluding": "0.19.2", "versionStartIncluding": "0.19.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pomerium:pomerium:*:*:*:*:*:*:*:*", "matchCriteriaId": "74933B5D-F984-414E-81D1-74D1447E6B28", "versionEndExcluding": "0.21.4", "versionStartIncluding": "0.21.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pomerium:pomerium:*:*:*:*:*:*:*:*", "matchCriteriaId": "B7F7CBF8-0778-4DF2-AF60-B8C12E42B896", "versionEndExcluding": "0.22.2", "versionStartIncluding": "0.22.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pomerium:pomerium:0.18.0:*:*:*:*:*:*:*", "matchCriteriaId": "0A86D41E-451B-4696-8993-AF8734BDDBF4", "vulnerable": true}, {"criteria": "cpe:2.3:a:pomerium:pomerium:0.20.0:*:*:*:*:*:*:*", "matchCriteriaId": "6754E0E9-C41E-4568-9E16-3EDF00CF5A62", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Pomerium is an identity and context-aware access proxy. With specially crafted requests, incorrect authorization decisions may be made by Pomerium. This issue has been patched in versions 0.17.4, 0.18.1, 0.19.2, 0.20.1, 0.21.4 and 0.22.2."}, {"lang": "es", "value": "Pomerium es un proxy de acceso consciente de la identidad y el contexto. Con peticiones manipuladas, Pomerium puede tomar decisiones de autorizaci\u00f3n incorrectas. Este problema ha sido corregido en las versiones 0.17.4, 0.18.1, 0.19.2, 0.20.1, 0.21.4 y 0.22.2. "}], "id": "CVE-2023-33189", "lastModified": "2023-06-05T17:04:41.190", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-05-30T06:16:37.937", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.17.4"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.18.1"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.19.2"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.20.1"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.21.4"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.22.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Secondary"}]}