CVE-2021-41230 in Pomerium
Summary
by MITRE • 11/06/2021
Pomerium is an open source identity-aware access proxy. In affected versions changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using `allowed_idp_claims` as part of policy. If using `allowed_idp_claims` and a user's claims are changed, Pomerium can make incorrect authorization decisions. This issue has been resolved in v0.15.6. For users unable to upgrade clear data on `databroker` service by clearing redis or restarting the in-memory databroker to force claims to be updated.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/10/2021
CVE-2021-41230 represents a critical authorization bypass vulnerability within Pomerium, an identity-aware access proxy designed to enforce security policies based on user identity and claims. This vulnerability stems from the improper handling of OpenID Connect (OIDC) claims during policy evaluation processes, specifically when the `allowed_idp_claims` configuration parameter is utilized. The flaw manifests when user attributes change after initial authentication, creating a persistent discrepancy between the user's actual identity state and the cached policy evaluation data. This issue directly impacts the integrity of access control decisions, potentially allowing unauthorized access to protected resources when user claims are modified post-login.
The technical root cause of this vulnerability lies in the databroker service's failure to properly refresh or invalidate cached user claims when modifications occur after initial authentication. When Pomerium processes policy decisions using `allowed_idp_claims`, it relies on cached identity information stored in the databroker service. The system does not adequately detect or respond to changes in user attributes, resulting in stale claims being used for subsequent authorization decisions. This behavior constitutes a violation of the principle of least privilege and can be classified as a CWE-284: Improper Access Control, specifically within the context of identity management and authorization enforcement. The vulnerability operates at the intersection of identity federation and access control policy enforcement, creating a scenario where the system's trust in cached identity information becomes a security risk.
The operational impact of CVE-2021-41230 extends beyond simple access control bypasses, potentially enabling attackers to escalate privileges or gain access to sensitive resources when user claims are modified. This vulnerability is particularly concerning in environments where user roles, groups, or permissions change dynamically after initial authentication, such as in multi-tenant applications or systems with dynamic role assignment. The flaw can be exploited through legitimate administrative actions that modify user claims, or potentially through malicious manipulation of identity provider data. From an adversarial perspective, this vulnerability aligns with ATT&CK technique T1078.004: Valid Accounts, where attackers could leverage modified claims to maintain access or escalate privileges within the protected environment. The impact is compounded by the fact that this vulnerability affects the core authorization mechanism of the proxy, making it a critical threat to the overall security posture of systems relying on Pomerium for access control.
The resolution for CVE-2021-41230 involves upgrading to version 0.15.6, which implements proper claim invalidation and refresh mechanisms within the databroker service. For organizations unable to perform immediate upgrades, the recommended remediation involves clearing the databroker service data, either by resetting the Redis cache or restarting the in-memory databroker to force a complete refresh of user claims. This manual mitigation approach addresses the root cause by ensuring that stale claims are not used for policy evaluation, though it requires system downtime and may temporarily disrupt access to services. Organizations should implement monitoring to detect unauthorized changes to user claims and establish procedures for periodic databroker data validation. The vulnerability highlights the importance of proper session management and identity state synchronization in identity-aware access proxies, emphasizing that static claim caching without proper invalidation mechanisms can create persistent security weaknesses. Security teams should also consider implementing additional logging and audit trails around policy evaluation decisions to detect potential exploitation attempts.