Improper Check for Unusual or Exceptional Conditions
CVE-2021-39162
Summary
Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame is received in the same IO event. This can lead to a DoS in the presence of untrusted *upstream* servers. 0.15.1 contains an upgraded envoy binary with this vulnerability patched. If only trusted upstreams are configured, there is not a substantial risk of this condition being triggered. The affected versions are before 0.15.1.
- LOW
- NETWORK
- NONE
- CHANGED
- NONE
- NONE
- NONE
- HIGH
CWE-754 - Improper Check for Unusual or Exceptional Conditions
The software does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software.
References
Advisory Timeline
- Published