Authenticate: Pomerium_signature Is Not Verified In Middleware

Skip to content Dismiss alert {{ message }} pomerium / pomerium Public

• Notifications You must be signed in to change notification settings
• Fork 317
• Star 4.6k

• Code
• Issues 82
• Pull requests 33
• Discussions
• Actions
• Security

  Uh oh!

  There was an error while loading. Please reload this page.

• Insights

Additional navigation options

authenticate: pomerium_signature is not verified in middleware High travisgroth published GHSA-fv82-r8qv-ch4v Mar 31, 2021

Package

github.com/pomerium/pomerium (Golang)

Affected versions

0.10.0-0.13.3

Patched versions

0.13.4

Description

Impact

Some API endpoints under /.pomerium/ do not verify parameters with pomerium_signature. This could allow modifying parameters intended to be trusted to Pomerium.

The issue mainly affects routes responsible for sign in/out, but does not introduce an authentication bypass.

Patches

Patched in v0.13.4

Workarounds

None

References

None

For more information

If you have any questions or comments about this advisory:

• Open an issue in pomerium
• Email us at [email protected]

Severity

High

CVE ID

CVE-2021-29652

Weaknesses

Weakness CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. Learn more on MITRE.

Credits

• cure53 Analyst

You can’t perform that action at this time.