38 matches found
CVE-2022-24797
Pomerium is an identity-aware access proxy. In distributed service mode, Pomerium's Authenticate service exposes pprof debug and prometheus metrics handlers to untrusted traffic. This can leak potentially sensitive environmental information or lead to limited denial of service conditions. This...
CVE-2022-24797 Exposure of Sensitive Information in Pomerium
Pomerium is an identity-aware access proxy. In distributed service mode, Pomerium's Authenticate service exposes pprof debug and prometheus metrics handlers to untrusted traffic. This can leak potentially sensitive environmental information or lead to limited denial of service conditions. This...
CVE-2022-24797
CVE-2022-24797 affects Pomerium in distributed service mode, where the Authenticate service exposes pprof debug and Prometheus metrics endpoints to untrusted traffic. This can leak environmental information and cause limited denial of service. The issue is fixed in v0.17.1. Workarounds include bl...
GO-2021-0258 Incorrect authorization in github.com/pomerium/pomerium
Pomerium is an open source identity-aware access proxy. Changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using allowedidpclaims as part of policy. If using allowedidpclaims and a user's claims are changed, Pomerium can make incorrect authorizati...
Authorization
Pomerium is an open source identity-aware access proxy. In affected versions changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using allowedidpclaims as part of policy. If using allowedidpclaims and a user's claims are changed, Pomerium can make...
CVE-2021-41230
Pomerium (open source identity-aware access proxy) is affected when using allowed_idp_claims: changes to a user’s OIDC claims after initial login may not be reflected in policy evaluation, causing incorrect authorization decisions. The issue has been fixed in v0.15.6. For users who cannot upgrade...
CVE-2021-39206
Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, contains two authorization related vulnerabilities CVE-2021-32777 and CVE-2021-32779. This may lead to incorrect routing or authorization policy decisions. With specially crafted requests, incorrect...
Authorization
Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, contains two authorization related vulnerabilities CVE-2021-32777 and CVE-2021-32779. This may lead to incorrect routing or authorization policy decisions. With specially crafted requests, incorrect...
CVE-2021-39162
Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. This can lead to a DoS in the presence of untrusted upstream servers. 0.15.1 contains an upgraded envoy binary...
CVE-2021-39162
Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. This can lead to a DoS in the presence of untrusted upstream servers. 0.15.1 contains an upgraded envoy binary...
Design/Logic Flaw
Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, incorrectly handles resetting of HTTP/2 streams with excessive complexity. This can lead to high CPU utilization when a large number of streams are reset. This can result in a DoS condition. Pomerium versio...
CVE-2021-39206
CVE-2021-39206 references Envoy vulnerabilities CVE-2021-32777 and CVE-2021-32779 within Pomerium. The issue can lead to incorrect authorization or routing decisions when path-prefix policy is used. Pomerium has patched Envoy in v0.14.8 and v0.15.1; mitigation also includes removing path-prefix p...
CVE-2021-39162
CVE-2021-39162 affects Pomerium via its Envoy-based upstream processing. An H2 GOAWAY plus SETTINGS frame received in the same IO event can cause Envoy to terminate abnormally, leading to DoS when untrusted upstreams are present. The mitigation/patch is in version 0.15.1 (Envoy upgrade). If only ...
Incorrect Authorization in ORY Oathkeeper
ORY Oathkeeper is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope foo using an access token granted with that foo scope, introspection will be valid and that...
CVE-2021-32701
ORY Oathkeeper is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope foo using an access token granted with that foo scope, introspection will be valid and that...
Design/Logic Flaw
ORY Oathkeeper is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope foo using an access token granted with that foo scope, introspection will be valid and that...
ORY Oathkeeper 安全漏洞
ORY Oathkeeper is an open source an Identity Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on a set of access rules. A security vulnerability exists in ORY Oathkeeper, which stems from an Identity Access Proxy IAP and Access Control Decision API that...
Unsecured Proxy
strapi-plugin-upload contains an unsecured proxy. An unauthenticated user is able to access the proxy without any authorization, allowing for access to other protected resources...