reports: add GO-2021-0258 for CVE-2021-41230

Fixes #258

Change-Id: I0781ce61af3375a40a4f13c6111e7a381097c8b8
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/377621
Trust: Julie Qiu <[email protected]>
Run-TryBot: Julie Qiu <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Damien Neil <[email protected]>

Author: julieqiu

reports/GO-2021-0258.yaml

@@ -0,0 +1,21 @@
+module: github.com/pomerium/pomerium
+versions:
+- fixed: v0.15.6
+description: |
+  Pomerium is an open source identity-aware access proxy. Changes to the OIDC
+  claims of a user after initial login are not reflected in policy evaluation
+  when using allowed_idp_claims as part of policy. If using allowed_idp_claims
+  and a user's claims are changed, Pomerium can make incorrect authorization
+  decisions.
+
+  For users unable to upgrade clear data on databroker service by clearing
+  redis or restarting the in-memory databroker to force claims to be updated.
+cves:
+- CVE-2021-41230
+symbols:
+- Manager.onUpdateRecords
+links:
+  pr: https://github.com/pomerium/pomerium/pull/2724
+  commit: https://github.com/pomerium/pomerium/commit/f20542c4bf2cc691e4c324f7ec79e02e46d95511
+  context:
+  - https://github.com/pomerium/pomerium/security/advisories/GHSA-j6wp-3859-vxfg