PRIOn Logo

CVE-2024-39315 Cross site scripting

Routine
Remediate Within 6 Months

CVE Information

Original CVE data

Published:
Updated:

Pomerium is an identity and context-aware access proxy. Prior to version 0.26.1, the Pomerium user info page (at `/.pomerium`) unintentionally included serialized OAuth2 access and ID tokens from the logged-in user's session. These tokens are not intended to be exposed to end users. This issue may be more severe in the presence of a cross-site scripting vulnerability in an upstream application proxied through Pomerium. If an attacker could insert a malicious script onto a web page proxied through Pomerium, that script could access these tokens by making a request to the `/.pomerium` endpoint. Upstream applications that authenticate only the ID token may be vulnerable to user impersonation using a token obtained in this manner. Note that an OAuth2 access token or ID token by itself is not sufficient to hijack a user's Pomerium session. Upstream applications should not be vulnerable to user impersonation via these tokens provided the application verifies the Pomerium JWT for each request, the connection between Pomerium and the application is secured by mTLS, or the connection between Pomerium and the application is otherwise secured at the network layer. The issue is patched in Pomerium v0.26.1. No known workarounds are available.

CWE:
CVSS v2-
CVSS v3-
References
https://github.com/pomerium/pomerium/security/advisories/GHSA-rrqr-7w59-637v
https://github.com/pomerium/pomerium/commit/4c7c4320afb2ced70ba19b46de1ac4383f3daa48
Affected Vendors

Basic Analysis

Common vulnerability metrics

Vulnerabilty type as detected by PRIOnengine

Cross site scripting

CVSS Scores as calculated by PRIOnengine
CVSS v24.3
AV:N/AC:M/AU:N/C:N/I:P/A:N
CVSS v38.2
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
MITRE CWE Top 25

-

Exploits

No exploit code is reported to exist.

Active Exploitation

Vulnerability is not in CISA's Known Exploited Vulnerabilities (KEV) catalog. See the KEV Catalog

Social Network Activity

-

Threat Actor Activity

No sightings of the vulnerability within threat reports.

Cybersecurity Frameworks

How the vulnerability maps against various cybersecurity frameworks

T1566.002 - Phishing (Spearphishing Link)
T1566 - Phishing
T1539 - Steal Web Session Cookie
T1190 - Exploit Public-Facing Application
T1189 - Drive-by Compromise
T1059 - Command and Scripting Interpreter

Compliance Impact

How the submited vulnerability affects compliance

PCI DSS v3.2.1-6.5.7 - Cross Site Scripting

Web Application Security Frameworks

Applicable if the issue likely affects a web application

WASC-8 - Cross Site Scripting