CVE-2021-39206 — Incorrect Authorization in Pomerium Pomerium

CWE-863 — Incorrect Authorization3 documents3 sources

Severity

8.6HIGHNVD

GHSA8.3OSV8.3

EPSS

0.2%

top 62.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Pomerium Pomerium Envoyproxy Envoy Pomerium

Timeline

PublishedSep 9

Latest updateSep 10

Description

Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, contains two authorization related vulnerabilities CVE-2021-32777 and CVE-2021-32779. This may lead to incorrect routing or authorization policy decisions. With specially crafted requests, incorrect authorization or routing decisions may be made by Pomerium. Pomerium v0.14.8 and v0.15.1 contain an upgraded envoy binary with these vulnerabilities patched. This issue can only be triggered when using path pre…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:NExploitability: 3.9 | Impact: 4.0

Affected Packages3 packages

▶NVDpomerium/pomerium0.11.0 — 0.14.8+1

▶Gogithub.com/pomerium_pomerium0.11.0 — 0.14.8+1

▶NVDenvoyproxy/envoy1.17.0 — 1.17.4+3

🔴Vulnerability Details

OSV

Incorrect Authorization with specially crafted requests↗2021-09-10

▶

GHSA

Incorrect Authorization with specially crafted requests↗2021-09-10

▶