CVE-2021-39162

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
09/09/2021
Last modified:
27/09/2021

Description

Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. This can lead to a DoS in the presence of untrusted *upstream* servers. 0.15.1 contains an upgraded envoy binary with this vulnerability patched. If only trusted upstreams are configured, there is not substantial risk of this condition being triggered.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:* 1.18.4 (excluding)
cpe:2.3:a:envoyproxy:envoy:1.19.0:*:*:*:*:*:*:*
cpe:2.3:a:pomerium:pomerium:0.15.0:*:*:*:*:*:*:*