CVE-2021-39204 — Excessive Iteration in Pomerium Pomerium

CWE-834 — Excessive Iteration3 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 38.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Pomerium Pomerium Envoyproxy Envoy Pomerium

Timeline

PublishedSep 9

Latest updateSep 10

Description

Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, incorrectly handles resetting of HTTP/2 streams with excessive complexity. This can lead to high CPU utilization when a large number of streams are reset. This can result in a DoS condition. Pomerium versions 0.14.8 and 0.15.1 contain an upgraded envoy binary with this vulnerability patched.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDenvoyproxy/envoy1.17.0 — 1.17.4+3

▶NVDpomerium/pomerium< 0.14.8+1

▶Gogithub.com/pomerium_pomerium0.15.0 — 0.15.1+1

▶CVEListV5pomerium/pomerium>= 0.15.0, < 0.15.1

🔴Vulnerability Details

GHSA

Excessive CPU usage↗2021-09-10

▶

OSV

Excessive CPU usage↗2021-09-10

▶