Open Redirect Affecting github.com/pomerium/pomerium/config package, versions <0.13.4


0.0
medium
  • Attack Complexity

    Low

  • User Interaction

    Required

  • Confidentiality

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-GOLANG-GITHUBCOMPOMERIUMPOMERIUMCONFIG-1090591

  • published

    4 Apr 2021

  • disclosed

    4 Apr 2021

  • credit

    cure53

How to fix?

Upgrade github.com/pomerium/pomerium/config to version 0.13.4 or higher.

Overview

Affected versions of this package are vulnerable to Open Redirect. Using programmatic access on protected sites, an attacker can get a signed login URL with pomerium_redirect_uri set to an arbitrary URL, which allows redirecting a victim to the attacker’s site, and a JWT leakage.

References