CVE-2021-39162

Опубликовано: 09 сент. 2021

Источник: nvd

CVSS3: 8.6

CVSS2: 5

EPSS Низкий

Описание

Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. This can lead to a DoS in the presence of untrusted upstream servers. 0.15.1 contains an upgraded envoy binary with this vulnerability patched. If only trusted upstreams are configured, there is not substantial risk of this condition being triggered.

Ссылки

https://github.com/envoyproxy/envoy/security/advisories/GHSA-j374-mjrw-vvp8
Third Party Advisory
https://github.com/pomerium/pomerium/security/advisories/GHSA-gjcg-vrxg-xmgv
Third Party Advisory
https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ
Not Applicable
Third Party Advisory
https://github.com/envoyproxy/envoy/security/advisories/GHSA-j374-mjrw-vvp8
Third Party Advisory
https://github.com/pomerium/pomerium/security/advisories/GHSA-gjcg-vrxg-xmgv
Third Party Advisory
https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ
Not Applicable
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*

Версия до 1.18.4 (исключая)

cpe:2.3:a:envoyproxy:envoy:1.19.0:*:*:*:*:*:*:*

cpe:2.3:a:pomerium:pomerium:0.15.0:*:*:*:*:*:*:*

EPSS

Процентиль: 71%

0.00668

Низкий

8.6 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-754

Связанные уязвимости

GHSA-gjcg-vrxg-xmgv