CVE-2021-41230
Summary
| CVE | CVE-2021-41230 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-11-05 23:15:00 UTC |
| Updated | 2021-11-10 17:16:00 UTC |
| Description | Pomerium is an open source identity-aware access proxy. In affected versions changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using `allowed_idp_claims` as part of policy. If using `allowed_idp_claims` and a user's claims are changed, Pomerium can make incorrect authorization decisions. This issue has been resolved in v0.15.6. For users unable to upgrade clear data on `databroker` service by clearing redis or restarting the in-memory databroker to force claims to be updated. |
Risk And Classification
Problem Types: CWE-863
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| OIDC claims not updated from Identity Provider in Pomerium · Advisory · pomerium/pomerium · GitHub | CONFIRM | github.com | |
| identity: fix user refresh by calebdoxsey · Pull Request #2724 · pomerium/pomerium · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 980194 Go (go) Security Update for github.com/pomerium/pomerium (GHSA-j6wp-3859-vxfg)