CVE-2023-33189 - OpenCVE

Pomerium is an identity and context-aware access proxy. With specially crafted requests, incorrect authorization decisions may be made by Pomerium. This issue has been patched in versions 0.17.4, 0.18.1, 0.19.2, 0.20.1, 0.21.4 and 0.22.2.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Pomerium	Pomerium

Configuration 1 [-]

OR	cpe:2.3:a:pomerium:pomerium::::::::
	cpe:2.3:a:pomerium:pomerium::::::::
	cpe:2.3:a:pomerium:pomerium::::::::
	cpe:2.3:a:pomerium:pomerium::::::::
	cpe:2.3:a:pomerium:pomerium:0.18.0:::::::*
	cpe:2.3:a:pomerium:pomerium:0.20.0:::::::*

References

Link	Resource
https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb	Patch
https://github.com/pomerium/pomerium/releases/tag/v0.17.4	Release Notes
https://github.com/pomerium/pomerium/releases/tag/v0.18.1	Release Notes
https://github.com/pomerium/pomerium/releases/tag/v0.19.2	Release Notes
https://github.com/pomerium/pomerium/releases/tag/v0.20.1	Release Notes
https://github.com/pomerium/pomerium/releases/tag/v0.21.4	Release Notes
https://github.com/pomerium/pomerium/releases/tag/v0.22.2	Release Notes
https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-05-30T05:39:45.132Z

Updated: 2023-05-30T05:39:45.132Z

Reserved: 2023-05-17T22:25:50.698Z

Link: CVE-2023-33189

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-05-30T06:16:37.937

Modified: 2023-06-05T17:04:41.190

Link: CVE-2023-33189

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-33189", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-05-17T22:25:50.698Z", "datePublished": "2023-05-30T05:39:45.132Z", "dateUpdated": "2023-05-30T05:39:45.132Z"}, "containers": {"cna": {"title": "Incorrect Authorization with specially crafted requests", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p"}, {"name": "https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb", "tags": ["x_refsource_MISC"], "url": "https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.17.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.17.4"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.18.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.18.1"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.19.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.19.2"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.20.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.20.1"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.21.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.21.4"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.22.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.22.2"}], "affected": [{"vendor": "pomerium", "product": "pomerium", "versions": [{"version": ">= 0.22.0, < 0.22.2", "status": "affected"}, {"version": ">= 0.21.0, < 0.21.4", "status": "affected"}, {"version": ">= 0.20.0, < 0.20.1", "status": "affected"}, {"version": ">= 0.19.0, < 0.19.2", "status": "affected"}, {"version": ">= 0.18.0, < 0.18.1", "status": "affected"}, {"version": "< 0.17.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-05-30T05:39:45.132Z"}, "descriptions": [{"lang": "en", "value": "Pomerium is an identity and context-aware access proxy. With specially crafted requests, incorrect authorization decisions may be made by Pomerium. This issue has been patched in versions 0.17.4, 0.18.1, 0.19.2, 0.20.1, 0.21.4 and 0.22.2."}], "source": {"advisory": "GHSA-pvrc-wvj2-f59p", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pomerium:pomerium:*:*:*:*:*:*:*:*", "matchCriteriaId": "BB4624AE-F046-4907-A7E2-30415D3C243A", "versionEndExcluding": "0.17.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:pomerium:pomerium:*:*:*:*:*:*:*:*", "matchCriteriaId": "B8B01C39-CC4A-4A3C-850E-0C6DE43B8C45", "versionEndExcluding": "0.19.2", "versionStartIncluding": "0.19.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pomerium:pomerium:*:*:*:*:*:*:*:*", "matchCriteriaId": "74933B5D-F984-414E-81D1-74D1447E6B28", "versionEndExcluding": "0.21.4", "versionStartIncluding": "0.21.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pomerium:pomerium:*:*:*:*:*:*:*:*", "matchCriteriaId": "B7F7CBF8-0778-4DF2-AF60-B8C12E42B896", "versionEndExcluding": "0.22.2", "versionStartIncluding": "0.22.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pomerium:pomerium:0.18.0:*:*:*:*:*:*:*", "matchCriteriaId": "0A86D41E-451B-4696-8993-AF8734BDDBF4", "vulnerable": true}, {"criteria": "cpe:2.3:a:pomerium:pomerium:0.20.0:*:*:*:*:*:*:*", "matchCriteriaId": "6754E0E9-C41E-4568-9E16-3EDF00CF5A62", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Pomerium is an identity and context-aware access proxy. With specially crafted requests, incorrect authorization decisions may be made by Pomerium. This issue has been patched in versions 0.17.4, 0.18.1, 0.19.2, 0.20.1, 0.21.4 and 0.22.2."}, {"lang": "es", "value": "Pomerium es un proxy de acceso consciente de la identidad y el contexto. Con peticiones manipuladas, Pomerium puede tomar decisiones de autorizaci\u00f3n incorrectas. Este problema ha sido corregido en las versiones 0.17.4, 0.18.1, 0.19.2, 0.20.1, 0.21.4 y 0.22.2. "}], "id": "CVE-2023-33189", "lastModified": "2023-06-05T17:04:41.190", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-05-30T06:16:37.937", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.17.4"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.18.1"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.19.2"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.20.1"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.21.4"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.22.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Secondary"}]}