Excessive Iteration

CVE-2021-39204

High

7.5/10

Summary

Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, incorrectly handles resetting of HTTP/2 streams with excessive complexity. This can lead to high CPU utilization when a large number of streams are reset. This can result in a DoS condition. Pomerium versions prior to 0.14.8 and 0.15.x prior to 0.15.1 contain an upgraded envoy binary with this vulnerability patched.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-834 - Excessive Iteration

The software performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.

References

Advisory
Release Note

Advisory Timeline

Published Sep 09, 2021

Excessive Iteration

CVE-2021-39204

Summary

CWE-834 - Excessive Iteration

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS