CVE-2021-39162

Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. This can lead to a DoS in the presence of untrusted *upstream* servers. 0.15.1 contains an upgraded envoy binary with this vulnerability patched. If only trusted upstreams are configured, there is not substantial risk of this condition being triggered.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.6 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
GitHub_MCNA
8.6 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 70%
VendorProductVersion
envoyproxyenvoy
𝑥
< 1.18.4
envoyproxyenvoy
1.19.0
pomeriumpomerium
0.15.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/envoyproxy/envoy/security/advisories/GHSA-j374-mjrw-vvp8
https://github.com/pomerium/pomerium/security/advisories/GHSA-gjcg-vrxg-xmgv
https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ
https://github.com/envoyproxy/envoy/security/advisories/GHSA-j374-mjrw-vvp8
https://github.com/pomerium/pomerium/security/advisories/GHSA-gjcg-vrxg-xmgv
https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ