Github.Com Pomerium Pomerium vulnerabilities

CVE-2024-47616 [HIGH] CWE-863 Pomerium service account access token may grant unintended access to databroker API Pomerium service account access token may grant unintended access to databroker API ### Impact We've identified a vulnerability in the Pomerium databroker service API that may grant unintended access under specific conditions. This affects only certain Pomerium Zero and Pomerium Enterprise deployments. #### Who is affected? A Pomerium deployment is susceptible to this issue if _a

CVE-2022-24797 [MEDIUM] CWE-200 Exposure of debug and metrics endpoints in Pomerium Exposure of debug and metrics endpoints in Pomerium ### Impact In distributed service mode, Pomerium's Authenticate service exposes pprof debug and prometheus metrics handlers to untrusted traffic. This can leak potentially sensitive environmental information or lead to limited denial of service conditions. ### Patches v0.17.1 ### Workarounds Block access to `/debug` and `/metrics` paths on the authenticate se

CVE-2024-39315 [MEDIUM] CWE-201 Pomerium exposed OAuth2 access and ID tokens in user info endpoint response Pomerium exposed OAuth2 access and ID tokens in user info endpoint response ### Impact The Pomerium user info page (at `/.pomerium`) unintentionally included serialized OAuth2 access and ID tokens from the logged-in user's session. These tokens are not intended to be exposed to end users. This issue may be more severe in the presence of an XSS vulnerability in an upstream application pr

CVE-2023-33189 [CRITICAL] CWE-285 Pomerium vulnerable to Incorrect Authorization with specially crafted requests Pomerium vulnerable to Incorrect Authorization with specially crafted requests ### Impact With specially crafted requests, incorrect authorization decisions may be made by Pomerium. ### Patches We are releasing patch fixes to address this vulnerability going back to `v0.17.X`. Please upgrade to: - v0.22.2 - v0.21.4 - v0.20.1 - v0.19.2 - v0.18.1 - v0.17.4 ### For more informatio

[HIGH] Multiple security issues in Pomerium's embedded envoy Multiple security issues in Pomerium's embedded envoy Envoy, which Pomerium is based on, has issued multiple CVEs impacting stability and security. Though Pomerium may not be vulnerable to all of the issues, it is recommended that all users upgrade to Pomerium v0.16.4 as soon as possible to minimize risk. ### Impact - Possible DoS or crash - Resources available to unauthorized users - Pomerium may trust upstream certificates that s

CVE-2021-41230 [MEDIUM] CWE-863 OIDC claims not updated from Identity Provider in Pomerium OIDC claims not updated from Identity Provider in Pomerium ### Impact Changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using [`allowed_idp_claims`](https://www.pomerium.com/reference/#allowed-idp-claims) as part of policy. If using `allowed_idp_claims` and a user's claims are changed, Pomerium can make incorrect authorization decisions. ### Patches v0.1

CVE-2021-39162 [HIGH] CWE-754 Incorrect handling of H2 GOAWAY + SETTINGS frames Incorrect handling of H2 GOAWAY + SETTINGS frames Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. ### Impact This can lead to a DoS in the presence of untrusted *upstream* servers. ### Patches 0.15.1 contains an upgraded envoy binary with this vulnerability patched. ### Workarounds If only trusted upstreams are configured, there is

CVE-2021-39206 [HIGH] CWE-863 Incorrect Authorization with specially crafted requests Incorrect Authorization with specially crafted requests Envoy, which Pomerium is based on, contains two authorization related vulnerabilities: - [CVE-2021-32777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32779): incorrectly transform a URL containing a `#fragment` element, causing a mismatch in path-prefix based authorization decisions. - [CVE-2021-32779](https://cve.mitre.org/cgi-bin/cvename.cg

CVE-2021-39204 [HIGH] CWE-834 Excessive CPU usage Excessive CPU usage Envoy, which Pomerium is based on, incorrectly handles resetting of HTTP/2 streams with excessive complexity. This can lead to high CPU utilization when a large number of streams are reset. ### Impact This can result in a DoS condition. ### Patches Pomerium versions 0.14.8 and 0.15.1 contain an upgraded envoy binary with this vulnerability patched. ### Workarounds N/A ### References [envoy GSA](https://github.com/envoypr

CVE-2021-29651 [MEDIUM] CWE-200 JWT leak via Open Redirect in Programmatic access JWT leak via Open Redirect in Programmatic access ### Impact Using programmatic access on protected sites, one can get a signed login URL with pomerium_redirect_uri set to an arbitrary URL. Then, if the user has already logged into Pomerium, they will be redirected to the specified pomerium_redirect_uri with a JWT attached. This allows an outside attacker to get a signed login URL that, upon visiting it, will redi

CVE-2021-29652 [MEDIUM] CWE-601 pomerium_signature is not verified in middleware in github.com/pomerium/pomerium pomerium_signature is not verified in middleware in github.com/pomerium/pomerium ### Impact Some API endpoints under /.pomerium/ do not verify parameters with pomerium_signature. This could allow modifying parameters intended to be trusted to Pomerium. The issue mainly affects routes responsible for sign in/out, but does not introduce an authentication bypass. ### Specific Go Packa