CVE-2021-39162 HIGH

CVE-2021-39162: Incorrect handling of H2 GOAWAY + SETTINGS frames

Vendor Pomerium
Product pomerium
Weakness CWE-754
Published September 9, 2021
Last update August 4, 2024

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

What the vulnerability does

01Description

Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. This can lead to a DoS in the presence of untrusted *upstream* servers. 0.15.1 contains an upgraded envoy binary with this vulnerability patched. If only trusted upstreams are configured, there is not substantial risk of this condition being triggered.

Key dates

02Disclosure timeline

September 9, 2021 CVE published
August 4, 2024 Record updated