CVE-2024-39315
📋 TL;DR
Pomerium versions before 0.26.1 expose OAuth2 access and ID tokens on the user info page, allowing potential token theft. This affects organizations using Pomerium as an identity-aware proxy. Attackers could steal tokens via cross-site scripting in upstream applications.
💻 Affected Systems
- Pomerium
📦 What is this software?
Pomerium by Pomerium
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal OAuth tokens via XSS in upstream apps, impersonate users in applications that only verify ID tokens, and potentially access sensitive resources.
Likely Case
Token exposure increases attack surface but requires XSS in upstream apps for exploitation. Most properly configured applications using Pomerium JWTs or mTLS remain protected.
If Mitigated
Minimal impact if applications verify Pomerium JWTs per request, use mTLS between Pomerium and apps, or have network-layer security.
🎯 Exploit Status
Exploitation requires XSS vulnerability in upstream application to access tokens from /.pomerium endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.26.1
Vendor Advisory: https://github.com/pomerium/pomerium/security/advisories/GHSA-rrqr-7w59-637v
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Update Pomerium to version 0.26.1 or later. 3. Restart Pomerium service. 4. Verify the fix by checking version and testing user info page.
🔧 Temporary Workarounds
No official workarounds
allVendor states no known workarounds available
🧯 If You Can't Patch
- Ensure upstream applications verify Pomerium JWT for every request
- Implement mTLS between Pomerium and all upstream applications
🔍 How to Verify
Check if Vulnerable:
Check Pomerium version: if below 0.26.1, system is vulnerable. Access /.pomerium endpoint while authenticated to see if tokens are exposed.Check Version:
pomerium versionVerify Fix Applied:
After updating to 0.26.1+, verify version and confirm /.pomerium endpoint no longer exposes OAuth tokens.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to /.pomerium endpoint
- Multiple token refresh requests from same user
Network Indicators:
- Unexpected requests to /.pomerium from upstream application domains
SIEM Query:
source="pomerium" AND (uri_path="/.pomerium" OR message="token" OR message="OAuth")🔗 References
- https://github.com/pomerium/pomerium/commit/4c7c4320afb2ced70ba19b46de1ac4383f3daa48
- https://github.com/pomerium/pomerium/security/advisories/GHSA-rrqr-7w59-637v
- https://github.com/pomerium/pomerium/commit/4c7c4320afb2ced70ba19b46de1ac4383f3daa48
- https://github.com/pomerium/pomerium/security/advisories/GHSA-rrqr-7w59-637v
