Impact

Some API endpoints under /.pomerium/ do not verify parameters with pomerium_signature. This could allow modifying parameters intended to be trusted to Pomerium.

The issue mainly affects routes responsible for sign in/out, but does not introduce an authentication bypass.

Patches

Patched in v0.13.4

Workarounds

None

References

None

For more information

If you have any questions or comments about this advisory:

• Open an issue in pomerium
• Email us at [email protected]