Travisgroth

**Name of the Vulnerable Software and Affected Versions** Pomerium versions prior to v0.17.1 **Description** Pomerium is an identity-aware access proxy. In distributed service mode, Pomerium's Authenticate service exposes `pprof` debug and `prometheus` metrics handlers to untrusted traffic. This can leak potentially sensitive environmental information or lead to limited denial of service conditions. **Recommendations** For versions prior to v0.17.1, update to version v0.17.1 to resolve the issue. As a temporary workaround, consider blocking access to `/debug` and `/metrics` paths on the authenticate service. This can be done with any L7 proxy, including Pomerium's own proxy service.

**Name of the Vulnerable Software and Affected Versions** Pomerium versions prior to 0.15.6 **Description** Pomerium is an open source identity-aware access proxy. Changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using `allowed idp claims` as part of policy. If using `allowed idp claims` and a user's claims are changed, Pomerium can make incorrect authorization decisions. **Recommendations** For versions prior to 0.15.6, update to version 0.15.6 to resolve the issue. As a temporary workaround for users unable to upgrade, clear data on the `databroker` service by clearing redis or restarting the in-memory databroker to force claims to be updated.

**Name of the Vulnerable Software and Affected Versions** Pomerium versions prior to 0.15.1 **Description** Pomerium, an open source identity-aware access proxy based on Envoy, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. This can lead to a Denial of Service (DoS) in the presence of untrusted upstream servers. If only trusted upstreams are configured, there is not substantial risk of this condition being triggered. **Recommendations** For versions prior to 0.15.1, update to version 0.15.1, which contains an upgraded Envoy binary with this issue patched. If only trusted upstreams are configured, there is not substantial risk of this condition being triggered, but it is still recommended to update to version 0.15.1 for maximum security.

**Name of the Vulnerable Software and Affected Versions** Pomerium versions prior to 0.14.8 Pomerium versions prior to 0.15.1 **Description** The issue arises from Envoy, which Pomerium is based on, incorrectly handling resetting of HTTP/2 streams with excessive complexity. This can lead to high CPU utilization when a large number of streams are reset, resulting in a DoS condition. **Recommendations** For versions prior to 0.14.8, update to version 0.14.8 or later to resolve the issue. For versions prior to 0.15.1, update to version 0.15.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Pomerium versions prior to 0.13.4 **Description** The issue allows an outside attacker to get a signed login URL that, upon visiting it, will redirect a victim to the attacker’s site, creating an Open Redirect problem and potentially leading to JWT leakage. With a leaked JWT, the attacker can unveil the victim’s identity, such as their email address, by supplying the JWT to the authenticate service. Additionally, if an application integrating Pomerium only verifies the `iss` claim and not the `aud` claim, the attacker can access it as the victim. **Recommendations** For versions prior to 0.13.4, update to Pomerium version 0.13.4 or later to resolve the issue. As a temporary workaround, consider restricting programmatic access on protected sites to minimize the risk of exploitation. Avoid using the `pomerium redirect uri` parameter in the affected API endpoint until the issue is resolved.