CVE-2023-33189 — Improper Authorization in Pomerium Pomerium

CWE-285 — Improper Authorization4 documents3 sources

Severity

9.8CRITICALNVD

EPSS

0.3%

top 50.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Pomerium Pomerium Pomerium

Timeline

PublishedMay 30

Latest updateAug 20

Description

Pomerium is an identity and context-aware access proxy. With specially crafted requests, incorrect authorization decisions may be made by Pomerium. This issue has been patched in versions 0.17.4, 0.18.1, 0.19.2, 0.20.1, 0.21.4 and 0.22.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDpomerium/pomerium0.19.0 — 0.19.2+5

▶Gogithub.com/pomerium_pomerium0.22.0 — 0.22.2+5

▶CVEListV5pomerium/pomerium5 versions+4

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Pomerium vulnerable to Incorrect Authorization with specially crafted requests in github.com/pomerium/pomerium↗2024-08-20

▶

OSV

Pomerium vulnerable to Incorrect Authorization with specially crafted requests↗2023-05-26

▶

GHSA

Pomerium vulnerable to Incorrect Authorization with specially crafted requests↗2023-05-26

▶