FKIE_CVE-2023-33189

Vulnerability from fkie_nvd - Published: 2023-05-30 06:16 - Updated: 2024-11-21 08:05
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Pomerium is an identity and context-aware access proxy. With specially crafted requests, incorrect authorization decisions may be made by Pomerium. This issue has been patched in versions 0.17.4, 0.18.1, 0.19.2, 0.20.1, 0.21.4 and 0.22.2.
References
security-advisories@github.comhttps://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebbPatch
security-advisories@github.comhttps://github.com/pomerium/pomerium/releases/tag/v0.17.4Release Notes
security-advisories@github.comhttps://github.com/pomerium/pomerium/releases/tag/v0.18.1Release Notes
security-advisories@github.comhttps://github.com/pomerium/pomerium/releases/tag/v0.19.2Release Notes
security-advisories@github.comhttps://github.com/pomerium/pomerium/releases/tag/v0.20.1Release Notes
security-advisories@github.comhttps://github.com/pomerium/pomerium/releases/tag/v0.21.4Release Notes
security-advisories@github.comhttps://github.com/pomerium/pomerium/releases/tag/v0.22.2Release Notes
security-advisories@github.comhttps://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59pVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebbPatch
af854a3a-2127-422b-91ae-364da2661108https://github.com/pomerium/pomerium/releases/tag/v0.17.4Release Notes
af854a3a-2127-422b-91ae-364da2661108https://github.com/pomerium/pomerium/releases/tag/v0.18.1Release Notes
af854a3a-2127-422b-91ae-364da2661108https://github.com/pomerium/pomerium/releases/tag/v0.19.2Release Notes
af854a3a-2127-422b-91ae-364da2661108https://github.com/pomerium/pomerium/releases/tag/v0.20.1Release Notes
af854a3a-2127-422b-91ae-364da2661108https://github.com/pomerium/pomerium/releases/tag/v0.21.4Release Notes
af854a3a-2127-422b-91ae-364da2661108https://github.com/pomerium/pomerium/releases/tag/v0.22.2Release Notes
af854a3a-2127-422b-91ae-364da2661108https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59pVendor Advisory
Impacted products
Vendor Product Version
pomerium pomerium *
pomerium pomerium *
pomerium pomerium *
pomerium pomerium *
pomerium pomerium 0.18.0
pomerium pomerium 0.20.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:pomerium:pomerium:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BB4624AE-F046-4907-A7E2-30415D3C243A",
              "versionEndExcluding": "0.17.4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pomerium:pomerium:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B8B01C39-CC4A-4A3C-850E-0C6DE43B8C45",
              "versionEndExcluding": "0.19.2",
              "versionStartIncluding": "0.19.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pomerium:pomerium:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "74933B5D-F984-414E-81D1-74D1447E6B28",
              "versionEndExcluding": "0.21.4",
              "versionStartIncluding": "0.21.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pomerium:pomerium:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B7F7CBF8-0778-4DF2-AF60-B8C12E42B896",
              "versionEndExcluding": "0.22.2",
              "versionStartIncluding": "0.22.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pomerium:pomerium:0.18.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0A86D41E-451B-4696-8993-AF8734BDDBF4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pomerium:pomerium:0.20.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "6754E0E9-C41E-4568-9E16-3EDF00CF5A62",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Pomerium is an identity and context-aware access proxy. With specially crafted requests, incorrect authorization decisions may be made by Pomerium. This issue has been patched in versions 0.17.4, 0.18.1, 0.19.2, 0.20.1, 0.21.4 and 0.22.2."
    },
    {
      "lang": "es",
      "value": "Pomerium es un proxy de acceso consciente de la identidad y el contexto. Con peticiones manipuladas, Pomerium puede tomar decisiones de autorizaci\u00f3n incorrectas. Este problema ha sido corregido en las versiones 0.17.4, 0.18.1, 0.19.2, 0.20.1, 0.21.4 y 0.22.2. "
    }
  ],
  "id": "CVE-2023-33189",
  "lastModified": "2024-11-21T08:05:05.060",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 10.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.8,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-05-30T06:16:37.937",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/pomerium/pomerium/releases/tag/v0.17.4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/pomerium/pomerium/releases/tag/v0.18.1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/pomerium/pomerium/releases/tag/v0.19.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/pomerium/pomerium/releases/tag/v0.20.1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/pomerium/pomerium/releases/tag/v0.21.4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/pomerium/pomerium/releases/tag/v0.22.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/pomerium/pomerium/releases/tag/v0.17.4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/pomerium/pomerium/releases/tag/v0.18.1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/pomerium/pomerium/releases/tag/v0.19.2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/pomerium/pomerium/releases/tag/v0.20.1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/pomerium/pomerium/releases/tag/v0.21.4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/pomerium/pomerium/releases/tag/v0.22.2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-285"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.