{"id":"GO-2021-0258","summary":"Incorrect authorization in github.com/pomerium/pomerium","details":"Pomerium is an open source identity-aware access proxy. Changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using allowed_idp_claims as part of policy. If using allowed_idp_claims and a user's claims are changed, Pomerium can make incorrect authorization decisions.\n\nFor users unable to upgrade clear data on databroker service by clearing redis or restarting the in-memory databroker to force claims to be updated.","aliases":["CVE-2021-41230","GHSA-j6wp-3859-vxfg"],"modified":"2024-05-20T16:03:47Z","published":"2022-01-14T17:30:31Z","database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2021-0258"},"references":[{"type":"FIX","url":"https://github.com/pomerium/pomerium/pull/2724"},{"type":"FIX","url":"https://github.com/pomerium/pomerium/commit/f20542c4bf2cc691e4c324f7ec79e02e46d95511"}],"affected":[{"package":{"name":"github.com/pomerium/pomerium","ecosystem":"Go","purl":"pkg:golang/github.com/pomerium/pomerium"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.15.6"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/pomerium/pomerium/internal/identity/manager","symbols":["Manager.Run","Manager.RunLeased","Manager.onUpdateRecords"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2021-0258.json"}}],"schema_version":"1.7.3"}