CVE-2023-33189 - Vulnerability Details - OpenCVE

Pomerium is an identity and context-aware access proxy. With specially crafted requests, incorrect authorization decisions may be made by Pomerium. This issue has been patched in versions 0.17.4, 0.18.1, 0.19.2, 0.20.1, 0.21.4 and 0.22.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Pomerium	Pomerium

Configuration 1 [-]

OR	cpe:2.3:a:pomerium:pomerium::::::::
	cpe:2.3:a:pomerium:pomerium::::::::
	cpe:2.3:a:pomerium:pomerium::::::::
	cpe:2.3:a:pomerium:pomerium::::::::
	cpe:2.3:a:pomerium:pomerium:0.18.0:::::::*
	cpe:2.3:a:pomerium:pomerium:0.20.0:::::::*

No data.

References

Link	Providers
https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb
https://github.com/pomerium/pomerium/releases/tag/v0.17.4
https://github.com/pomerium/pomerium/releases/tag/v0.18.1
https://github.com/pomerium/pomerium/releases/tag/v0.19.2
https://github.com/pomerium/pomerium/releases/tag/v0.20.1
https://github.com/pomerium/pomerium/releases/tag/v0.21.4
https://github.com/pomerium/pomerium/releases/tag/v0.22.2
https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p

History

Fri, 10 Jan 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-05-30T05:39:45.132Z

Updated: 2025-01-10T19:02:02.336Z

Reserved: 2023-05-17T22:25:50.698Z

Link: CVE-2023-33189

Vulnrichment

Updated: 2024-08-02T15:39:35.821Z

NVD

Status : Modified

Published: 2023-05-30T06:16:37.937

Modified: 2024-11-21T08:05:05.060

Link: CVE-2023-33189

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-33189", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-05-17T22:25:50.698Z", "datePublished": "2023-05-30T05:39:45.132Z", "dateUpdated": "2025-01-10T19:02:02.336Z"}, "containers": {"cna": {"title": "Incorrect Authorization with specially crafted requests", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p"}, {"name": "https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb", "tags": ["x_refsource_MISC"], "url": "https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.17.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.17.4"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.18.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.18.1"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.19.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.19.2"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.20.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.20.1"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.21.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.21.4"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.22.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.22.2"}], "affected": [{"vendor": "pomerium", "product": "pomerium", "versions": [{"version": ">= 0.22.0, < 0.22.2", "status": "affected"}, {"version": ">= 0.21.0, < 0.21.4", "status": "affected"}, {"version": ">= 0.20.0, < 0.20.1", "status": "affected"}, {"version": ">= 0.19.0, < 0.19.2", "status": "affected"}, {"version": ">= 0.18.0, < 0.18.1", "status": "affected"}, {"version": "< 0.17.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-05-30T05:39:45.132Z"}, "descriptions": [{"lang": "en", "value": "Pomerium is an identity and context-aware access proxy. With specially crafted requests, incorrect authorization decisions may be made by Pomerium. This issue has been patched in versions 0.17.4, 0.18.1, 0.19.2, 0.20.1, 0.21.4 and 0.22.2."}], "source": {"advisory": "GHSA-pvrc-wvj2-f59p", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:39:35.821Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p"}, {"name": "https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.17.4", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.17.4"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.18.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.18.1"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.19.2", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.19.2"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.20.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.20.1"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.21.4", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.21.4"}, {"name": "https://github.com/pomerium/pomerium/releases/tag/v0.22.2", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.22.2"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-10T19:01:46.088923Z", "id": "CVE-2023-33189", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-10T19:02:02.336Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p", "name": "https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb", "name": "https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/pomerium/pomerium/releases/tag/v0.17.4", "name": "https://github.com/pomerium/pomerium/releases/tag/v0.17.4", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/pomerium/pomerium/releases/tag/v0.18.1", "name": "https://github.com/pomerium/pomerium/releases/tag/v0.18.1", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/pomerium/pomerium/releases/tag/v0.19.2", "name": "https://github.com/pomerium/pomerium/releases/tag/v0.19.2", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/pomerium/pomerium/releases/tag/v0.20.1", "name": "https://github.com/pomerium/pomerium/releases/tag/v0.20.1", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/pomerium/pomerium/releases/tag/v0.21.4", "name": "https://github.com/pomerium/pomerium/releases/tag/v0.21.4", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/pomerium/pomerium/releases/tag/v0.22.2", "name": "https://github.com/pomerium/pomerium/releases/tag/v0.22.2", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:39:35.821Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-33189", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-01-10T19:01:46.088923Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-10T19:01:54.964Z"}}], "cna": {"title": "Incorrect Authorization with specially crafted requests", "source": {"advisory": "GHSA-pvrc-wvj2-f59p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pomerium", "product": "pomerium", "versions": [{"status": "affected", "version": ">= 0.22.0, < 0.22.2"}, {"status": "affected", "version": ">= 0.21.0, < 0.21.4"}, {"status": "affected", "version": ">= 0.20.0, < 0.20.1"}, {"status": "affected", "version": ">= 0.19.0, < 0.19.2"}, {"status": "affected", "version": ">= 0.18.0, < 0.18.1"}, {"status": "affected", "version": "< 0.17.4"}]}], "references": [{"url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p", "name": "https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb", "name": "https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pomerium/pomerium/releases/tag/v0.17.4", "name": "https://github.com/pomerium/pomerium/releases/tag/v0.17.4", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pomerium/pomerium/releases/tag/v0.18.1", "name": "https://github.com/pomerium/pomerium/releases/tag/v0.18.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pomerium/pomerium/releases/tag/v0.19.2", "name": "https://github.com/pomerium/pomerium/releases/tag/v0.19.2", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pomerium/pomerium/releases/tag/v0.20.1", "name": "https://github.com/pomerium/pomerium/releases/tag/v0.20.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pomerium/pomerium/releases/tag/v0.21.4", "name": "https://github.com/pomerium/pomerium/releases/tag/v0.21.4", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pomerium/pomerium/releases/tag/v0.22.2", "name": "https://github.com/pomerium/pomerium/releases/tag/v0.22.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Pomerium is an identity and context-aware access proxy. With specially crafted requests, incorrect authorization decisions may be made by Pomerium. This issue has been patched in versions 0.17.4, 0.18.1, 0.19.2, 0.20.1, 0.21.4 and 0.22.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-05-30T05:39:45.132Z"}}}, "cveMetadata": {"cveId": "CVE-2023-33189", "state": "PUBLISHED", "dateUpdated": "2025-01-10T19:02:02.336Z", "dateReserved": "2023-05-17T22:25:50.698Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-05-30T05:39:45.132Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pomerium:pomerium:*:*:*:*:*:*:*:*", "matchCriteriaId": "BB4624AE-F046-4907-A7E2-30415D3C243A", "versionEndExcluding": "0.17.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:pomerium:pomerium:*:*:*:*:*:*:*:*", "matchCriteriaId": "B8B01C39-CC4A-4A3C-850E-0C6DE43B8C45", "versionEndExcluding": "0.19.2", "versionStartIncluding": "0.19.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pomerium:pomerium:*:*:*:*:*:*:*:*", "matchCriteriaId": "74933B5D-F984-414E-81D1-74D1447E6B28", "versionEndExcluding": "0.21.4", "versionStartIncluding": "0.21.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pomerium:pomerium:*:*:*:*:*:*:*:*", "matchCriteriaId": "B7F7CBF8-0778-4DF2-AF60-B8C12E42B896", "versionEndExcluding": "0.22.2", "versionStartIncluding": "0.22.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pomerium:pomerium:0.18.0:*:*:*:*:*:*:*", "matchCriteriaId": "0A86D41E-451B-4696-8993-AF8734BDDBF4", "vulnerable": true}, {"criteria": "cpe:2.3:a:pomerium:pomerium:0.20.0:*:*:*:*:*:*:*", "matchCriteriaId": "6754E0E9-C41E-4568-9E16-3EDF00CF5A62", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Pomerium is an identity and context-aware access proxy. With specially crafted requests, incorrect authorization decisions may be made by Pomerium. This issue has been patched in versions 0.17.4, 0.18.1, 0.19.2, 0.20.1, 0.21.4 and 0.22.2."}, {"lang": "es", "value": "Pomerium es un proxy de acceso consciente de la identidad y el contexto. Con peticiones manipuladas, Pomerium puede tomar decisiones de autorizaci\u00f3n incorrectas. Este problema ha sido corregido en las versiones 0.17.4, 0.18.1, 0.19.2, 0.20.1, 0.21.4 y 0.22.2. "}], "id": "CVE-2023-33189", "lastModified": "2024-11-21T08:05:05.060", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-05-30T06:16:37.937", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.17.4"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.18.1"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.19.2"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.20.1"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.21.4"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.22.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/pomerium/pomerium/commit/d315e683357a9b587ba9ef399a8813bcc52fdebb"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.17.4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.18.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.19.2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.20.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.21.4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/pomerium/pomerium/releases/tag/v0.22.2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-pvrc-wvj2-f59p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}