Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/pomerium/pomerium: CVE-2024-39315 #2965

Closed
GoVulnBot opened this issue Jul 2, 2024 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/pomerium/pomerium: CVE-2024-39315 #2965

GoVulnBot opened this issue Jul 2, 2024 · 2 comments
Labels
triaged

Comments

@GoVulnBot
Copy link

Advisory CVE-2024-39315 references a vulnerability in the following Go modules:

Module
github.com/pomerium/pomerium

Description:
Pomerium is an identity and context-aware access proxy. Prior to version 0.26.1, the Pomerium user info page (at /.pomerium) unintentionally included serialized OAuth2 access and ID tokens from the logged-in user's session. These tokens are not intended to be exposed to end users. This issue may be more severe in the presence of a cross-site scripting vulnerability in an upstream application proxied through Pomerium. If an attacker could insert a malicious script onto a web page proxied through Pomerium, that script could access these tokens by making a request to the /.pomerium endpoint. ...

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/pomerium/pomerium
      vulnerable_at: 0.26.1
summary: CVE-2024-39315 in github.com/pomerium/pomerium
cves:
    - CVE-2024-39315
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39315
    - fix: https://github.com/pomerium/pomerium/commit/4c7c4320afb2ced70ba19b46de1ac4383f3daa48
    - web: https://github.com/pomerium/pomerium/security/advisories/GHSA-rrqr-7w59-637v
source:
    id: CVE-2024-39315
    created: 2024-07-02T22:01:14.895409014Z
review_status: UNREVIEWED
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/596495 mentions this issue: data/reports: add GO-2024-2965

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/601375 mentions this issue: data/reports: update 3 reports

gopherbot pushed a commit that referenced this issue Jul 29, 2024
@tatianab
data/reports: update 3 reports
fb09166 
Regenerate three UNREVIEWED reports that now have
a GHSA available.

  - data/reports/GO-2024-2965.yaml
  - data/reports/GO-2024-2969.yaml
  - data/reports/GO-2024-2974.yaml

Updates #2965
Updates #2969
Updates #2974

Change-Id: I5f5b9fc105520c831e598dc591d04b9e81347d3d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/601375
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
This was referenced Oct 2, 2024
Closed
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot