CVE-2023-33189

Pomerium is an identity and context-aware access proxy. With specially crafted requests, incorrect authorization decisions may be made by Pomerium. This issue has been patched in versions 0.17.4, 0.18.1, 0.19.2, 0.20.1, 0.21.4 and 0.22.2.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb	Patch
https://github.com/pomerium/pomerium/releases/tag/v0.17.4	Release Notes
https://github.com/pomerium/pomerium/releases/tag/v0.18.1	Release Notes
https://github.com/pomerium/pomerium/releases/tag/v0.19.2	Release Notes
https://github.com/pomerium/pomerium/releases/tag/v0.20.1	Release Notes
https://github.com/pomerium/pomerium/releases/tag/v0.21.4	Release Notes
https://github.com/pomerium/pomerium/releases/tag/v0.22.2	Release Notes
https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:pomerium:pomerium::::::::
	cpe:2.3:a:pomerium:pomerium::::::::
	cpe:2.3:a:pomerium:pomerium::::::::
	cpe:2.3:a:pomerium:pomerium::::::::
	cpe:2.3:a:pomerium:pomerium:0.18.0:::::::*
	cpe:2.3:a:pomerium:pomerium:0.20.0:::::::*

History

No history.

Information

Published : 2023-05-30 06:16

Updated : 2023-06-05 17:04

NVD link : CVE-2023-33189

Mitre link : CVE-2023-33189

CVE.ORG link : CVE-2023-33189

JSON object : View

Products Affected

pomerium

pomerium

CWE

NVD-CWE-Other CWE-285

Improper Authorization

{"id": "CVE-2023-33189", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 3.9}]}, "published": "2023-05-30T06:16:37.937", "references": [{"url": "https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pomerium/pomerium/releases/tag/v0.17.4", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pomerium/pomerium/releases/tag/v0.18.1", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pomerium/pomerium/releases/tag/v0.19.2", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pomerium/pomerium/releases/tag/v0.20.1", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pomerium/pomerium/releases/tag/v0.21.4", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pomerium/pomerium/releases/tag/v0.22.2", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-285"}]}], "descriptions": [{"lang": "en", "value": "Pomerium is an identity and context-aware access proxy. With specially crafted requests, incorrect authorization decisions may be made by Pomerium. This issue has been patched in versions 0.17.4, 0.18.1, 0.19.2, 0.20.1, 0.21.4 and 0.22.2."}, {"lang": "es", "value": "Pomerium es un proxy de acceso consciente de la identidad y el contexto. Con peticiones manipuladas, Pomerium puede tomar decisiones de autorizaci\u00f3n incorrectas. Este problema ha sido corregido en las versiones 0.17.4, 0.18.1, 0.19.2, 0.20.1, 0.21.4 y 0.22.2. "}], "lastModified": "2023-06-05T17:04:41.190", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pomerium:pomerium:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BB4624AE-F046-4907-A7E2-30415D3C243A", "versionEndExcluding": "0.17.4"}, {"criteria": "cpe:2.3:a:pomerium:pomerium:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B8B01C39-CC4A-4A3C-850E-0C6DE43B8C45", "versionEndExcluding": "0.19.2", "versionStartIncluding": "0.19.0"}, {"criteria": "cpe:2.3:a:pomerium:pomerium:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "74933B5D-F984-414E-81D1-74D1447E6B28", "versionEndExcluding": "0.21.4", "versionStartIncluding": "0.21.0"}, {"criteria": "cpe:2.3:a:pomerium:pomerium:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B7F7CBF8-0778-4DF2-AF60-B8C12E42B896", "versionEndExcluding": "0.22.2", "versionStartIncluding": "0.22.0"}, {"criteria": "cpe:2.3:a:pomerium:pomerium:0.18.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0A86D41E-451B-4696-8993-AF8734BDDBF4"}, {"criteria": "cpe:2.3:a:pomerium:pomerium:0.20.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6754E0E9-C41E-4568-9E16-3EDF00CF5A62"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}