8.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
54.1%
Envoy, which Pomerium is based on, contains two authorization related vulnerabilities:
#fragment
element, causing a mismatch in path-prefix based authorization decisions.With specially crafted requests, incorrect authorization or routing decisions may be made by Pomerium.
Pomerium v0.14.8 and v0.15.1 contain an upgraded envoy binary with these vulnerabilities patched.
envoy GSA CVE-2021-32777
envoy GSA CVE-2021-32779
envoy announcement
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
github.com/pomerium/pomerium | eq | 0.15.0 | |
github.com/pomerium/pomerium | lt | 0.14.8 |
github.com/advisories/GHSA-cfc2-wjcm-c8fm
github.com/envoyproxy/envoy/security/advisories/GHSA-6g4j-5vrw-2m8h
github.com/envoyproxy/envoy/security/advisories/GHSA-r222-74fw-jqr9
github.com/pomerium/pomerium/security/advisories/GHSA-cfc2-wjcm-c8fm
groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ
nvd.nist.gov/vuln/detail/CVE-2021-39206
8.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
54.1%