CVE-2021-41230

Name of the Vulnerable Software and Affected Versions Pomerium versions prior to 0.15.6

Description Pomerium is an open source identity-aware access proxy. Changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using allowed idp claims as part of policy. If using allowed idp claims and a user's claims are changed, Pomerium can make incorrect authorization decisions.

Recommendations For versions prior to 0.15.6, update to version 0.15.6 to resolve the issue. As a temporary workaround for users unable to upgrade, clear data on the databroker service by clearing redis or restarting the in-memory databroker to force claims to be updated.