CVE-2021-39162 Information

Description

Pomerium is an open source identity-aware access proxy. Envoy which Pomerium is based on can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. This can lead to a DoS in the presence of untrusted upstream servers. 0.15.1 contains an upgraded envoy binary with this vulnerability patched. If only trusted upstreams are configured there is not substantial risk of this condition being triggered.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Reference

https://github.com/envoyproxy/envoy/security/advisories/GHSA-j374-mjrw-vvp8 https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ https://github.com/pomerium/pomerium/security/advisories/GHSA-gjcg-vrxg-xmgv

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

CHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

HIGH

Base Severity

8.6