{"id":"CVE-2021-41230","details":"Pomerium is an open source identity-aware access proxy. In affected versions changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using `allowed_idp_claims` as part of policy. If using `allowed_idp_claims` and a user's claims are changed, Pomerium can make incorrect authorization decisions. This issue has been resolved in v0.15.6. For users unable to upgrade clear data on `databroker` service by clearing redis or restarting the in-memory databroker to force claims to be updated.","aliases":["GHSA-j6wp-3859-vxfg","GO-2021-0258"],"modified":"2026-03-13T22:15:35.864265Z","published":"2021-11-05T23:15:08.727Z","related":["GHSA-j6wp-3859-vxfg"],"references":[{"type":"ADVISORY","url":"https://github.com/pomerium/pomerium/security/advisories/GHSA-j6wp-3859-vxfg"},{"type":"FIX","url":"https://github.com/pomerium/pomerium/pull/2724"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pomerium/pomerium","events":[{"introduced":"0071b4e7a5ebcbc1d9b908922bc5c2678fa46f8f"},{"fixed":"4cb3281af7b5e030c89cefcca51b7f4ce409ee25"}],"database_specific":{"versions":[{"introduced":"0.14.0"},{"fixed":"0.15.6"}]}}],"versions":["v0.14.0","v0.15.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41230.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}