authenticate: pomerium_signature is not verified in middleware

Impact

Some API endpoints under /.pomerium/ do not verify parameters with pomerium_signature. This could allow modifying parameters intended to be trusted to Pomerium.

The issue mainly affects routes responsible for sign in/out, but does not introduce an authentication bypass.

Patches

Patched in v0.13.4

Workarounds

None

References

None

For more information

If you have any questions or comments about this advisory:

Open an issue in pomerium
Email us at security@pomerium.com

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

authenticate: pomerium_signature is not verified in middleware

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

References

For more information

Severity

CVE ID

Weaknesses

Credits