CVE-2024-39315: 
NixOS vulnerability analysis and mitigation

Pomerium, an identity and context-aware access proxy, was found to have a security vulnerability in versions prior to 0.26.1. The vulnerability involved the unintentional exposure of serialized OAuth2 access and ID tokens from logged-in users' sessions through the Pomerium user info page (at /.pomerium). The issue was discovered and disclosed in July 2024 (Vendor Advisory).

The vulnerability stems from the user info endpoint inadvertently including sensitive authentication tokens in its response. These tokens, specifically OAuth2 access and ID tokens, were not intended to be exposed to end users. The issue has been assigned a CVSS v3.1 base score of 6.5 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) by NVD, while GitHub assessed it as 5.7 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N). The vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data) (NVD).

The exposure of OAuth2 access and ID tokens could potentially lead to user impersonation, particularly in scenarios where upstream applications authenticate using only the ID token. However, the impact is limited as these tokens alone are not sufficient to hijack a user's Pomerium session. The vulnerability becomes more severe when combined with a cross-site scripting (XSS) vulnerability in an upstream application proxied through Pomerium, as malicious scripts could potentially access these tokens through the /.pomerium endpoint (Vendor Advisory).

The vulnerability has been patched in Pomerium version 0.26.1. For applications that cannot immediately update, it's important to note that upstream applications are not vulnerable to token-based impersonation if they: verify the Pomerium JWT for each request, secure the connection between Pomerium and the application using mTLS, or implement network-layer security measures between Pomerium and the application. No other workarounds are available (Vendor Advisory).