[security] Pomerium v013.4 is released

Skip to first unread message


Mar 31, 2021, 4:01:26 PM3/31/21
to pomerium-announce
We have just released Pomerium 0.13.4 to address potential security issues discovered during an internal security audit performed by Cure53. We recommend that all users update.
  • JWT leak via open redirect in programmatic access

    Using programmatic access on protected sites, one can get a signed login URL with pomerium_redirect_uri set to an arbitrary URL. Then, if the user has already logged into Pomerium, they will be redirected to the specified pomerium_redirect_uri with a JWT attached. This allows an outside attacker to get a signed login URL that, upon visiting it, will redirect a victim to the attacker’s site. This creates an issue of Open Redirect and, more seriously, JWT leakage.

    This issue is CVE-2021-29651 and advisory GHSA-35vc-w93w-75c2.

  • authenticate: pomerium_signature is not verified in middleware

    Some API endpoints under /.pomerium/ do not verify parameters with pomerium_signature. This could allow modifying parameters intended to be trusted to Pomerium. The issue mainly affects routes responsible for sign in/out, but does not introduce an authentication bypass.

    This issue is CVE-2021-29652 and advisory GHSA-fv82-r8qv-ch4v.
You can download binary and source distributions from github. Or you can pull the v0.13.4 container image from dockerhub.

Thank you,
Reply all
Reply to author
0 new messages