CVE-2024-39315
published 2024-07-02CVE-2024-39315: Pomerium is an identity and context-aware access proxy. Prior to version 0.26.1, the Pomerium user info page (at `/.pomerium`) unintentionally included…
PriorityP430medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
EPSS
0.42%
33.3th percentile
Pomerium is an identity and context-aware access proxy. Prior to version 0.26.1, the Pomerium user info page (at `/.pomerium`) unintentionally included serialized OAuth2 access and ID tokens from the logged-in user's session. These tokens are not intended to be exposed to end users. This issue may be more severe in the presence of a cross-site scripting vulnerability in an upstream application proxied through Pomerium. If an attacker could insert a malicious script onto a web page proxied through Pomerium, that script could access these tokens by making a request to the `/.pomerium` endpoint. Upstream applications that authenticate only the ID token may be vulnerable to user impersonation using a token obtained in this manner. Note that an OAuth2 access token or ID token by itself is not sufficient to hijack a user's Pomerium session. Upstream applications should not be vulnerable to user impersonation via these tokens provided the application verifies the Pomerium JWT for each request, the connection between Pomerium and the application is secured by mTLS, or the connection between Pomerium and the application is otherwise secured at the network layer. The issue is patched in Pomerium v0.26.1. No known workarounds are available.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | pomerium_pomerium | >= 0 < 0.26.1 | 0.26.1 |
| pomerium | pomerium | < 0.26.1 | 0.26.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Pomerium exposed OAuth2 access and ID tokens in user info endpoint response
osv·2024-07-05
CVE-2024-39315 [MEDIUM] Pomerium exposed OAuth2 access and ID tokens in user info endpoint response
Pomerium exposed OAuth2 access and ID tokens in user info endpoint response
### Impact
The Pomerium user info page (at `/.pomerium`) unintentionally included serialized OAuth2 access and ID tokens from the logged-in user's session. These tokens are not intended to be exposed to end users.
This issue may be more severe in the presence of an XSS vulnerability in an upstream application proxied through Pomerium. If an attacker could insert a malicious script onto a web page proxied through Pomerium, that script could access these tokens by making a request to the `/.pomerium` endpoint.
Upstream applications that authenticate only the ID token may be vulnerable to user impersonation using a token obtained in this manner.
Note that an OAuth2 access token or ID token by itself is not suffic
GHSA
Pomerium exposed OAuth2 access and ID tokens in user info endpoint response
ghsa·2024-07-05
CVE-2024-39315 [MEDIUM] CWE-201 Pomerium exposed OAuth2 access and ID tokens in user info endpoint response
Pomerium exposed OAuth2 access and ID tokens in user info endpoint response
### Impact
The Pomerium user info page (at `/.pomerium`) unintentionally included serialized OAuth2 access and ID tokens from the logged-in user's session. These tokens are not intended to be exposed to end users.
This issue may be more severe in the presence of an XSS vulnerability in an upstream application proxied through Pomerium. If an attacker could insert a malicious script onto a web page proxied through Pomerium, that script could access these tokens by making a request to the `/.pomerium` endpoint.
Upstream applications that authenticate only the ID token may be vulnerable to user impersonation using a token obtained in this manner.
Note that an OAuth2 access token or ID token by itself is not suffic
OSV
Pomerium exposed OAuth2 access and ID tokens in user info endpoint response in github.com/pomerium/pomerium
osv·2024-07-03
CVE-2024-39315 Pomerium exposed OAuth2 access and ID tokens in user info endpoint response in github.com/pomerium/pomerium
Pomerium exposed OAuth2 access and ID tokens in user info endpoint response in github.com/pomerium/pomerium
Pomerium exposed OAuth2 access and ID tokens in user info endpoint response in github.com/pomerium/pomerium
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/pomerium/pomerium/commit/4c7c4320afb2ced70ba19b46de1ac4383f3daa48https://github.com/pomerium/pomerium/security/advisories/GHSA-rrqr-7w59-637vhttps://github.com/pomerium/pomerium/commit/4c7c4320afb2ced70ba19b46de1ac4383f3daa48https://github.com/pomerium/pomerium/security/advisories/GHSA-rrqr-7w59-637v
2024-07-02
Published