Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-39206

Good to know:

icon

Date: September 9, 2021

Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, contains two authorization related vulnerabilities CVE-2021-32777 and CVE-2021-32779. This may lead to incorrect routing or authorization policy decisions. With specially crafted requests, incorrect authorization or routing decisions may be made by Pomerium. Pomerium v0.14.8 and v0.15.1 contain an upgraded envoy binary with these vulnerabilities patched. This issue can only be triggered when using path prefix based policy. Removing any such policies should provide mitigation.

Language: Go

Severity Score

Related Resources (6)

https://github.com/envoyproxy/envoy/security/advisories/GHSA-6g4j-5vrw-2m8h
https://nvd.nist.gov/vuln/detail/CVE-2021-39206
https://github.com/pomerium/pomerium/security/advisories/GHSA-cfc2-wjcm-c8fm
https://github.com/envoyproxy/envoy/security/advisories/GHSA-r222-74fw-jqr9
https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ
https://www.mend.io/vulnerability-database/CVE-2021-39206

Severity Score

Weakness Type (CWE)

Incorrect Authorization

CWE-863

Top Fix

icon

Upgrade Version

Upgrade to version pomerium - v0.14.8, v0.15.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): CHANGED
Confidentiality (C): NONE
Integrity (I): HIGH
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): NONE
Confidentiality (C): NONE
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us