CVE-2021-39162
8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Summary
Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. This can lead to a DoS in the presence of untrusted upstream servers. 0.15.1 contains an upgraded envoy binary with this vulnerability patched. If only trusted upstreams are configured, there is not substantial risk of this condition being triggered.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| pomerium | pomerium | >= 0.15.0, < 0.15.1 | affected |
Weaknesses
- CWE-754: CWE-754: Improper Check for Unusual or Exceptional Conditions
ADP Enrichment
CVE Program Container
Additional References
- https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ
- https://github.com/pomerium/pomerium/security/advisories/GHSA-gjcg-vrxg-xmgv
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-j374-mjrw-vvp8
References
- https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ
- https://github.com/pomerium/pomerium/security/advisories/GHSA-gjcg-vrxg-xmgv
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-j374-mjrw-vvp8
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.