x/vulndb: potential Go vuln in github.com/pomerium/pomerium: CVE-2024-47616

[GoVulnBot]

Advisory CVE-2024-47616 references a vulnerability in the following Go modules:

Module
github.com/pomerium/pomerium

Description:
Pomerium is an identity and context-aware access proxy. The Pomerium databroker service is responsible for managing all persistent Pomerium application state. Requests to the databroker service API are authorized by the presence of a JSON Web Token (JWT) signed by a key known by all Pomerium services in the same deployment. However, incomplete validation of this JWT meant that some service account access tokens would incorrectly be treated as valid for the purpose of databroker API authorization. Improper access to the databroker API could allow exfiltration of user info, spoofing of user sess...

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-47616
• FIX: pomerium/pomerium@e018cf0
• WEB: https://github.com/pomerium/pomerium/releases/tag/v0.27.1
• WEB: GHSA-r7rh-jww5-5fjr

Cross references:

• github.com/pomerium/pomerium appears in 10 other report(s):
  • data/excluded/GO-2022-0371.yaml (x/vulndb: potential Go vuln in github.com/pomerium/pomerium: GHSA-j34v-3552-5r7j #371) NOT_GO_CODE
  • data/excluded/GO-2022-0896.yaml (x/vulndb: potential Go vuln in github.com/pomerium/pomerium: CVE-2021-39204, GHSA-5wjf-62hw-q78r #896) NOT_GO_CODE
  • data/excluded/GO-2022-0897.yaml (x/vulndb: potential Go vuln in github.com/pomerium/pomerium: CVE-2021-39206, GHSA-cfc2-wjcm-c8fm #897) NOT_GO_CODE
  • data/reports/GO-2021-0258.yaml (x/vulndb: potential Go vuln in github.com/pomerium/pomerium: CVE-2021-41230 #258)
  • data/reports/GO-2022-0413.yaml (x/vulndb: potential Go vuln in github.com/pomerium/pomerium: CVE-2022-24797 #413)
  • data/reports/GO-2022-0783.yaml (x/vulndb: potential Go vuln in github.com/pomerium/pomerium/proxy: GHSA-35vc-w93w-75c2 #783)
  • data/reports/GO-2022-0827.yaml (x/vulndb: potential Go vuln in github.com/pomerium/pomerium/authenticate: GHSA-fv82-r8qv-ch4v #827)
  • data/reports/GO-2022-0933.yaml (x/vulndb: potential Go vuln in github.com/pomerium/pomerium: CVE-2021-39162, GHSA-gjcg-vrxg-xmgv #933)
  • data/reports/GO-2023-1800.yaml (x/vulndb: potential Go vuln in github.com/pomerium/pomerium: CVE-2023-33189 #1800)
  • data/reports/GO-2024-2965.yaml (x/vulndb: potential Go vuln in github.com/pomerium/pomerium: CVE-2024-39315 #2965)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/pomerium/pomerium
      vulnerable_at: 0.27.1
summary: CVE-2024-47616 in github.com/pomerium/pomerium
cves:
    - CVE-2024-47616
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47616
    - fix: https://github.com/pomerium/pomerium/commit/e018cf0fc0979d2abe25ff705db019feb7523444
    - web: https://github.com/pomerium/pomerium/releases/tag/v0.27.1
    - web: https://github.com/pomerium/pomerium/security/advisories/GHSA-r7rh-jww5-5fjr
source:
    id: CVE-2024-47616
    created: 2024-10-02T23:01:17.171794863Z
review_status: UNREVIEWED

[maceonthompson]

Duplicate of #3179