CVE-2021-29651: 
NixOS vulnerability analysis and mitigation

Pomerium versions before 0.13.4 contained an Open Redirect vulnerability identified as CVE-2021-29651. The vulnerability was discovered and disclosed on March 31, 2021. This security issue affected the programmatic access functionality of protected sites within the Pomerium authentication system (GitHub Advisory).

The vulnerability allows an attacker to manipulate the pomeriumredirecturi parameter to obtain a signed login URL pointing to an arbitrary destination. When a user who is already authenticated with Pomerium visits this URL, they are redirected to the attacker-specified URI along with an attached JWT token. The vulnerability is classified as CWE-601 (Open Redirect) and has been assigned a High severity rating (GitHub Advisory).

The exploitation of this vulnerability leads to two primary security concerns: First, it enables an open redirect attack vector. More critically, it results in JWT token leakage, allowing attackers to obtain the victim's JWT. With the leaked JWT, attackers can reveal the victim's identity (including email address) by submitting the token to the authenticate service or verify.pomerium.com. Furthermore, if applications using Pomerium don't properly verify the 'aud' claim while validating JWTs, attackers could potentially access these applications while impersonating the victim (GitHub Advisory).

The vulnerability has been patched in Pomerium version 0.13.4. No alternative workarounds are available, making it crucial for affected users to upgrade to the patched version (GitHub Advisory).