CVE-2021-41230 : What You Need to Know
Learn about CVE-2021-41230 affecting Pomerium versions >= 0.14.0 and < 0.15.6. Understand the impact, vulnerability description, affected systems, and mitigation steps.
Pomerium is an open source identity-aware access proxy. In affected versions, changes to the OIDC claims are not reflected in policy evaluation, leading to incorrect authorization decisions.
Understanding CVE-2021-41230
What is CVE-2021-41230?
Pomerium versions >= 0.14.0 and < 0.15.6 have a vulnerability where changes to a user's OIDC claims are not updated in policy evaluation, potentially resulting in incorrect authorization decisions.
The Impact of CVE-2021-41230
The vulnerability allows for incorrect authorization decisions due to the lack of proper updating of OIDC claims in policy evaluation in affected versions.
Technical Details of CVE-2021-41230
Vulnerability Description
Changes to OIDC claims after login are not reflected in policy evaluation, potentially leading to incorrect authorization decisions.
Affected Systems and Versions
- Product: Pomerium
- Vendor: Pomerium
- Versions Affected: >= 0.14.0, < 0.15.6
Exploitation Mechanism
The issue arises when using
allowed_idp_claimsMitigation and Prevention
Immediate Steps to Take
- Upgrade to version 0.15.6 to resolve the issue
- Clear data on 'databroker' service by clearing Redis or restarting the in-memory databroker to force claims update
Long-Term Security Practices
- Regularly update Pomerium to the latest versions
- Monitor security advisories from Pomerium
Patching and Updates
Ensure timely application of patches and updates to maintain system security.