CVE-2021-29652

Name of the Vulnerable Software and Affected Versions Pomerium versions 0.10.0 through 0.13.3

Description The issue is related to an Open Redirect in the user sign-in/out process. Some API endpoints under /.pomerium/ do not verify parameters with pomerium signature, which could allow modifying parameters intended to be trusted to Pomerium. This mainly affects routes responsible for sign in/out but does not introduce an authentication bypass.

Recommendations For versions 0.10.0 through 0.13.3, update to version 0.13.4 to resolve the issue. As a temporary workaround, consider restricting access to API endpoints under /.pomerium/ until the issue is resolved. Avoid using unverified parameters in the affected API endpoints until the issue is resolved.