CVE-2024-47616Incorrect Authorization in Pomerium

CWE-863Incorrect Authorization4 documents3 sources
Severity
6.8MEDIUMNVD
EPSS
0.1%
top 79.01%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
PomeriumGithub.com Pomerium Pomerium
Timeline
PublishedOct 2
Latest updateOct 9

Description

Pomerium is an identity and context-aware access proxy. The Pomerium databroker service is responsible for managing all persistent Pomerium application state. Requests to the databroker service API are authorized by the presence of a JSON Web Token (JWT) signed by a key known by all Pomerium services in the same deployment. However, incomplete validation of this JWT meant that some service account access tokens would incorrectly be treated as valid for the purpose of databroker API authorization

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.6 | Impact: 5.2

Affected Packages2 packages

CVEListV5pomerium/pomerium< 0.27.1

🔴Vulnerability Details

3
OSV
Pomerium service account access token may grant unintended access to databroker API in github.com/pomerium/pomerium2024-10-09
OSV
Pomerium service account access token may grant unintended access to databroker API2024-10-02
GHSA
Pomerium service account access token may grant unintended access to databroker API2024-10-02
CVE-2024-47616 — Incorrect Authorization in Pomerium | cvebase