Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cve[email protected]CVE-2021-39206
HistorySep 09, 2021 - 11:15 p.m.

CVE-2021-39206

2021-09-0923:15:00
CWE-863
[email protected]
web.nvd.nist.gov
31
pomerium
open source
identity-aware
access proxy
cve-2021-39206
vulnerability
nvd

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

8.3 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

54.1%

JSON

Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, contains two authorization related vulnerabilities CVE-2021-32777 and CVE-2021-32779. This may lead to incorrect routing or authorization policy decisions. With specially crafted requests, incorrect authorization or routing decisions may be made by Pomerium. Pomerium v0.14.8 and v0.15.1 contain an upgraded envoy binary with these vulnerabilities patched. This issue can only be triggered when using path prefix based policy. Removing any such policies should provide mitigation.

VendorProductVersionCPE
pomeriumpomerium*cpe:2.3:a:pomerium:pomerium:*:*:*:*:*:*:*:*
pomeriumpomerium*cpe:2.3:a:pomerium:pomerium:*:*:*:*:*:*:*:*

Related

osv 7
prion 3
github 1
veracode 2
redhatcve 2
nessus 5
cve 2
oraclelinux 3
redhat 2
osv
osv
Incorrect Authorization with specially crafted requests
2021-09-10 17:54:25
BIT-envoy-2021-32777
2024-03-06 10:58:27
CVE-2021-32777
2021-08-24 21:15:06
prion
prion
Authorization
2021-09-09 23:15:00
Authorization
2021-08-24 21:15:00
Path traversal
2021-08-24 21:15:00
github
github
Incorrect Authorization with specially crafted requests
2021-09-10 17:54:25
veracode
veracode
Denial Of Service (DoS)
2021-08-29 19:44:50
Authorization Bypass
2021-08-29 19:44:47
redhatcve
redhatcve
CVE-2021-32779
2021-08-24 22:14:54
CVE-2021-32777
2021-08-24 22:14:49
nessus
nessus
Oracle Linux 7 : olcne (ELSA-2021-9526)
2021-11-09 00:00:00
RHEL 8 : Red Hat OpenShift Service Mesh 2.0.7.1 (RHSA-2021:3272)
2021-08-25 00:00:00
RHEL 8 : Red Hat OpenShift Service Mesh 1.1.17.1 (RHSA-2021:3273)
2021-08-25 00:00:00
cve
cve
CVE-2021-32779
2021-08-24 21:15:00
CVE-2021-32777
2021-08-24 21:15:00
oraclelinux
oraclelinux
olcne security update
2021-11-10 00:00:00
olcne istio istio kubernetes security update
2021-11-09 00:00:00
olcne security update
2021-11-09 00:00:00
redhat
redhat
(RHSA-2021:3273) Important: Red Hat OpenShift Service Mesh 1.1.17.1 security update
2021-08-25 09:17:57
(RHSA-2021:3272) Important: Red Hat OpenShift Service Mesh 2.0.7.1 security update
2021-08-25 09:17:04

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

8.3 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

54.1%

JSON
Related for CVE-2021-39206
osv7prion3github1veracode2redhatcve2nessus5cve2oraclelinux3redhat2