CVE-2021-29651
published 2021-04-02CVE-2021-29651: Pomerium before 0.13.4 has an Open Redirect (issue 1 of 2).
PriorityP422medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.66%
46.8th percentile
Pomerium before 0.13.4 has an Open Redirect (issue 1 of 2).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | pomerium_pomerium | >= 0 < 0.13.4 | 0.13.4 |
| pomerium | pomerium | < 0.13.4 | 0.13.4 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
JWT leak via Open Redirect in Programmatic access in github.com/pomerium/pomerium
osv·2024-08-21
CVE-2021-29651 JWT leak via Open Redirect in Programmatic access in github.com/pomerium/pomerium
JWT leak via Open Redirect in Programmatic access in github.com/pomerium/pomerium
JWT leak via Open Redirect in Programmatic access in github.com/pomerium/pomerium
OSV
JWT leak via Open Redirect in Programmatic access
osv·2021-05-21
CVE-2021-29651 [MEDIUM] JWT leak via Open Redirect in Programmatic access
JWT leak via Open Redirect in Programmatic access
### Impact
Using programmatic access on protected sites, one can get a signed login URL with pomerium_redirect_uri set to an arbitrary URL. Then, if the user has already logged into Pomerium, they will be redirected to the specified pomerium_redirect_uri with a JWT attached. This allows an outside attacker to get a signed login URL that, upon visiting it, will redirect a victim to the attacker’s site. This creates an issue of Open Redirect and, more seriously, JWT leakage.
With a leaked JWT, the attacker will be able to unveil the victim’s identity (.e.g. email address) by supplying the JWT to the authenticate service or verify.pomerium.com. In addition, if an application integrating Pomerium only verifies the iss claim and others but not
GHSA
JWT leak via Open Redirect in Programmatic access
ghsa·2021-05-21
CVE-2021-29651 [MEDIUM] CWE-200 JWT leak via Open Redirect in Programmatic access
JWT leak via Open Redirect in Programmatic access
### Impact
Using programmatic access on protected sites, one can get a signed login URL with pomerium_redirect_uri set to an arbitrary URL. Then, if the user has already logged into Pomerium, they will be redirected to the specified pomerium_redirect_uri with a JWT attached. This allows an outside attacker to get a signed login URL that, upon visiting it, will redirect a victim to the attacker’s site. This creates an issue of Open Redirect and, more seriously, JWT leakage.
With a leaked JWT, the attacker will be able to unveil the victim’s identity (.e.g. email address) by supplying the JWT to the authenticate service or verify.pomerium.com. In addition, if an application integrating Pomerium only verifies the iss claim and others but not
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-04-02
Published