x/vulndb: potential Go vuln in github.com/pomerium/pomerium: GHSA-r7rh-jww5-5fjr

[GoVulnBot]

Advisory GHSA-r7rh-jww5-5fjr references a vulnerability in the following Go modules:

Module
github.com/pomerium/pomerium

Description:

Impact

We've identified a vulnerability in the Pomerium databroker service API that may grant unintended access under specific conditions. This affects only certain Pomerium Zero and Pomerium Enterprise deployments.

Who is affected?

A Pomerium deployment is susceptible to this issue if all of the following conditions are met:

• You have issued a service account access token using Pomerium Zero or Pomerium Enterprise.
• The access token has an explicit expiration date in the future.
• The core Pomerium databroker gRPC ...

References:

• ADVISORY: GHSA-r7rh-jww5-5fjr
• ADVISORY: GHSA-r7rh-jww5-5fjr
• FIX: pomerium/pomerium@e018cf0
• WEB: https://github.com/pomerium/pomerium/releases/tag/v0.27.1

Cross references:

• github.com/pomerium/pomerium appears in 10 other report(s):
  • data/excluded/GO-2022-0371.yaml (x/vulndb: potential Go vuln in github.com/pomerium/pomerium: GHSA-j34v-3552-5r7j #371) NOT_GO_CODE
  • data/excluded/GO-2022-0896.yaml (x/vulndb: potential Go vuln in github.com/pomerium/pomerium: CVE-2021-39204, GHSA-5wjf-62hw-q78r #896) NOT_GO_CODE
  • data/excluded/GO-2022-0897.yaml (x/vulndb: potential Go vuln in github.com/pomerium/pomerium: CVE-2021-39206, GHSA-cfc2-wjcm-c8fm #897) NOT_GO_CODE
  • data/reports/GO-2021-0258.yaml (x/vulndb: potential Go vuln in github.com/pomerium/pomerium: CVE-2021-41230 #258)
  • data/reports/GO-2022-0413.yaml (x/vulndb: potential Go vuln in github.com/pomerium/pomerium: CVE-2022-24797 #413)
  • data/reports/GO-2022-0783.yaml (x/vulndb: potential Go vuln in github.com/pomerium/pomerium/proxy: GHSA-35vc-w93w-75c2 #783)
  • data/reports/GO-2022-0827.yaml (x/vulndb: potential Go vuln in github.com/pomerium/pomerium/authenticate: GHSA-fv82-r8qv-ch4v #827)
  • data/reports/GO-2022-0933.yaml (x/vulndb: potential Go vuln in github.com/pomerium/pomerium: CVE-2021-39162, GHSA-gjcg-vrxg-xmgv #933)
  • data/reports/GO-2023-1800.yaml (x/vulndb: potential Go vuln in github.com/pomerium/pomerium: CVE-2023-33189 #1800)
  • data/reports/GO-2024-2965.yaml (x/vulndb: potential Go vuln in github.com/pomerium/pomerium: CVE-2024-39315 #2965)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/pomerium/pomerium
      versions:
        - fixed: 0.27.1
      vulnerable_at: 0.27.0
summary: |-
    Pomerium service account access token may grant unintended access to databroker
    API in github.com/pomerium/pomerium
cves:
    - CVE-2024-47616
ghsas:
    - GHSA-r7rh-jww5-5fjr
references:
    - advisory: https://github.com/advisories/GHSA-r7rh-jww5-5fjr
    - advisory: https://github.com/pomerium/pomerium/security/advisories/GHSA-r7rh-jww5-5fjr
    - fix: https://github.com/pomerium/pomerium/commit/e018cf0fc0979d2abe25ff705db019feb7523444
    - web: https://github.com/pomerium/pomerium/releases/tag/v0.27.1
source:
    id: GHSA-r7rh-jww5-5fjr
    created: 2024-10-02T22:01:23.33743042Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/619135 mentions this issue: data/reports: add 15 reports