CVE-2021-39162
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
09/09/2021
Last modified:
27/09/2021
Description
Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. This can lead to a DoS in the presence of untrusted *upstream* servers. 0.15.1 contains an upgraded envoy binary with this vulnerability patched. If only trusted upstreams are configured, there is not substantial risk of this condition being triggered.
Impact
Base Score 3.x
8.60
Severity 3.x
HIGH
Base Score 2.0
5.00
Severity 2.0
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:* | 1.18.4 (excluding) | |
cpe:2.3:a:envoyproxy:envoy:1.19.0:*:*:*:*:*:*:* | ||
cpe:2.3:a:pomerium:pomerium:0.15.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page