High severityNVD Advisory· Published Sep 9, 2021· Updated Aug 4, 2024
Incorrect handling of H2 GOAWAY + SETTINGS frames
CVE-2021-39162
Description
Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. This can lead to a DoS in the presence of untrusted *upstream* servers. 0.15.1 contains an upgraded envoy binary with this vulnerability patched. If only trusted upstreams are configured, there is not substantial risk of this condition being triggered.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/pomerium/pomeriumGo | < 0.15.1 | 0.15.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-gjcg-vrxg-xmgvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-39162ghsaADVISORY
- github.com/envoyproxy/envoy/security/advisories/GHSA-j374-mjrw-vvp8ghsax_refsource_MISCWEB
- github.com/pomerium/pomerium/security/advisories/GHSA-gjcg-vrxg-xmgvghsax_refsource_CONFIRMWEB
- groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.