Some API endpoints under /.pomerium/ do not verify parameters with pomerium_signature. This could allow modifying parameters intended to be trusted to Pomerium.
The issue mainly affects routes responsible for sign in/out, but does not introduce an authentication bypass.
github.com/pomerium/pomerium/authenticate
Patched in v0.13.4
If you have any questions or comments about this advisory
CPE | Name | Operator | Version |
---|---|---|---|
github.com/pomerium/pomerium | lt | 0.13.4 |