Lucene search
K

38 matches found

NVD
NVD
added 2022/03/31 11:15 p.m.33 views

CVE-2022-24797

Pomerium is an identity-aware access proxy. In distributed service mode, Pomerium's Authenticate service exposes pprof debug and prometheus metrics handlers to untrusted traffic. This can leak potentially sensitive environmental information or lead to limited denial of service conditions. This...

9.1CVSS0.01324EPSS
Exploits0References3
Cvelist
Cvelist
added 2022/03/31 10:40 p.m.41 views

CVE-2022-24797 Exposure of Sensitive Information in Pomerium

Pomerium is an identity-aware access proxy. In distributed service mode, Pomerium's Authenticate service exposes pprof debug and prometheus metrics handlers to untrusted traffic. This can leak potentially sensitive environmental information or lead to limited denial of service conditions. This...

6.5CVSS9.1AI score0.01324EPSS
Exploits0References3
CVE
CVE
added 2022/03/31 10:40 p.m.103 views

CVE-2022-24797

CVE-2022-24797 affects Pomerium in distributed service mode, where the Authenticate service exposes pprof debug and Prometheus metrics endpoints to untrusted traffic. This can leak environmental information and cause limited denial of service. The issue is fixed in v0.17.1. Workarounds include bl...

9.1CVSS7.5AI score0.01324EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2022/01/14 5:30 p.m.26 views

GO-2021-0258 Incorrect authorization in github.com/pomerium/pomerium

Pomerium is an open source identity-aware access proxy. Changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using allowedidpclaims as part of policy. If using allowedidpclaims and a user's claims are changed, Pomerium can make incorrect authorizati...

8.8CVSS8.6AI score0.00832EPSS
Exploits0References2
Prion
Prion
added 2021/11/05 11:15 p.m.22 views

Authorization

Pomerium is an open source identity-aware access proxy. In affected versions changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using allowedidpclaims as part of policy. If using allowedidpclaims and a user's claims are changed, Pomerium can make...

6.5CVSS8.6AI score0.00832EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2021/11/05 10:40 p.m.63 views

CVE-2021-41230

Pomerium (open source identity-aware access proxy) is affected when using allowed_idp_claims: changes to a user’s OIDC claims after initial login may not be reflected in policy evaluation, causing incorrect authorization decisions. The issue has been fixed in v0.15.6. For users who cannot upgrade...

8.8CVSS6.7AI score0.00832EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2021/09/09 11:15 p.m.25 views

CVE-2021-39206

Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, contains two authorization related vulnerabilities CVE-2021-32777 and CVE-2021-32779. This may lead to incorrect routing or authorization policy decisions. With specially crafted requests, incorrect...

8.6CVSS0.01457EPSS
Exploits0References4
Prion
Prion
added 2021/09/09 11:15 p.m.26 views

Authorization

Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, contains two authorization related vulnerabilities CVE-2021-32777 and CVE-2021-32779. This may lead to incorrect routing or authorization policy decisions. With specially crafted requests, incorrect...

5CVSS8.3AI score0.03325EPSS
Exploits0References4Affected Software2
NVD
NVD
added 2021/09/09 10:15 p.m.17 views

CVE-2021-39162

Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. This can lead to a DoS in the presence of untrusted upstream servers. 0.15.1 contains an upgraded envoy binary...

8.6CVSS0.01638EPSS
Exploits0References3
OSV
OSV
added 2021/09/09 10:15 p.m.19 views

CVE-2021-39162

Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. This can lead to a DoS in the presence of untrusted upstream servers. 0.15.1 contains an upgraded envoy binary...

8.6CVSS8.4AI score
Exploits0References3
Prion
Prion
added 2021/09/09 10:15 p.m.20 views

Design/Logic Flaw

Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, incorrectly handles resetting of HTTP/2 streams with excessive complexity. This can lead to high CPU utilization when a large number of streams are reset. This can result in a DoS condition. Pomerium versio...

5CVSS7.4AI score0.01662EPSS
Exploits0References3Affected Software2
CVE
CVE
added 2021/09/09 10:10 p.m.71 views

CVE-2021-39206

CVE-2021-39206 references Envoy vulnerabilities CVE-2021-32777 and CVE-2021-32779 within Pomerium. The issue can lead to incorrect authorization or routing decisions when path-prefix policy is used. Pomerium has patched Envoy in v0.14.8 and v0.15.1; mitigation also includes removing path-prefix p...

8.6CVSS8.7AI score0.01457EPSS
Exploits0References4Affected Software2
CVE
CVE
added 2021/09/09 10:5 p.m.77 views

CVE-2021-39162

CVE-2021-39162 affects Pomerium via its Envoy-based upstream processing. An H2 GOAWAY plus SETTINGS frame received in the same IO event can cause Envoy to terminate abnormally, leading to DoS when untrusted upstreams are present. The mitigation/patch is in version 0.15.1 (Envoy upgrade). If only ...

8.6CVSS8.4AI score0.01638EPSS
Exploits0References3Affected Software2
Github Security Blog
Github Security Blog
added 2021/06/24 8:16 p.m.78 views

Incorrect Authorization in ORY Oathkeeper

ORY Oathkeeper is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope foo using an access token granted with that foo scope, introspection will be valid and that...

7.5CVSS0.4AI score0.01298EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2021/06/22 8:15 p.m.28 views

CVE-2021-32701

ORY Oathkeeper is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope foo using an access token granted with that foo scope, introspection will be valid and that...

7.5CVSS7.5AI score
Exploits0References3
Prion
Prion
added 2021/06/22 8:15 p.m.19 views

Design/Logic Flaw

ORY Oathkeeper is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope foo using an access token granted with that foo scope, introspection will be valid and that...

4.3CVSS7.5AI score0.01298EPSS
Exploits0References3Affected Software1
CNNVD
CNNVD
added 2021/06/22 12:0 a.m.7 views

ORY Oathkeeper 安全漏洞

ORY Oathkeeper is an open source an Identity Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on a set of access rules. A security vulnerability exists in ORY Oathkeeper, which stems from an Identity Access Proxy IAP and Access Control Decision API that...

7.5CVSS7.2AI score0.01298EPSS
Exploits0References3
Veracode
Veracode
added 2020/10/23 8:33 a.m.20 views

Unsecured Proxy

strapi-plugin-upload contains an unsecured proxy. An unauthenticated user is able to access the proxy without any authorization, allowing for access to other protected resources...

9.8CVSS4.2AI score0.02264EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder