CVE-2022-24797

Pomerium is an identity-aware access proxy. In distributed service mode, Pomerium's Authenticate service exposes pprof debug and prometheus metrics handlers to untrusted traffic. This can leak potentially sensitive environmental information or lead to limited denial of service conditions. This...

Exposure of debug and metrics endpoints in Pomerium

Impact In distributed service mode, Pomerium's Authenticate service exposes pprof debug and prometheus metrics handlers to untrusted traffic. This can leak potentially sensitive environmental information or lead to limited denial of service conditions. Patches v0.17.1 Workarounds Block access to...

CVE-2023-47163

Remarshal prior to v0.17.1 expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack. Processing untrusted YAML files may cause a denial-of-service DoS condition...

PYSEC-2023-236

Remarshal prior to v0.17.1 expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack. Processing untrusted YAML files may cause a denial-of-service DoS condition...

Race condition

Remarshal prior to v0.17.1 expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack. Processing untrusted YAML files may cause a denial-of-service DoS condition...

CVE-2023-47163

CVE-2023-47163 affects the Remarshal YAML processor. Before v0.17.1, it allows unlimited expansion of YAML alias nodes, enabling a Billion Laughs-style DoS when processing untrusted YAML files. The vulnerability is documented across multiple sources, and remediation is to upgrade to Remarshal v0....

CVE-2022-24797

Pomerium is an identity-aware access proxy. In distributed service mode, Pomerium's Authenticate service exposes pprof debug and prometheus metrics handlers to untrusted traffic. This can leak potentially sensitive environmental information or lead to limited denial of service conditions. This...