CVE-2021-41230: Incorrect Authorization
Pomerium is an open source identity-aware access proxy. In affected versions changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using allowed_idp_claims
as part of policy. If using allowed_idp_claims
and a user’s claims are changed, Pomerium can make incorrect authorization decisions. This issue has been resolved in v0.15.6. For users unable to upgrade clear data on databroker
service by clearing redis or restarting the in-memory databroker to force claims to be updated.
References
Detect and mitigate CVE-2021-41230 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →