10

CVE-2023-33189

Incorrect Authorization with specially crafted requests

Pomerium is an identity and context-aware access proxy. With specially crafted requests, incorrect authorization decisions may be made by Pomerium. This issue has been patched in versions 0.17.4, 0.18.1, 0.19.2, 0.20.1, 0.21.4 and 0.22.2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PomeriumPomerium Version < 0.17.4
PomeriumPomerium Version >= 0.19.0 < 0.19.2
PomeriumPomerium Version >= 0.21.0 < 0.21.4
PomeriumPomerium Version >= 0.22.0 < 0.22.2
PomeriumPomerium Version0.18.0
PomeriumPomerium Version0.20.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.92% 0.556
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com 10 3.9 5.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb
Patch
https://github.com/pomerium/pomerium/releases/tag/v0.17.4
Release Notes
https://github.com/pomerium/pomerium/releases/tag/v0.18.1
Release Notes
https://github.com/pomerium/pomerium/releases/tag/v0.19.2
Release Notes
https://github.com/pomerium/pomerium/releases/tag/v0.20.1
Release Notes
https://github.com/pomerium/pomerium/releases/tag/v0.21.4
Release Notes
https://github.com/pomerium/pomerium/releases/tag/v0.22.2
Release Notes
https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p
Vendor Advisory