CVE-2021-39162

HIGH8.6EPSS 0.67%

Incorrect handling of H2 GOAWAY + SETTINGS frames

Published: 9/10/2021Modified: 5/20/2025

Also known as:GHSA-gjcg-vrxg-xmgvBIT-envoy-2021-39162GO-2022-0933

Description

Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. This can lead to a DoS in the presence of untrusted *upstream* servers. 0.15.1 contains an upgraded envoy binary with this vulnerability patched. If only trusted upstreams are configured, there is not substantial risk of this condition being triggered.

Affected packages (3)

Bitnami/envoyfrom 0, < 1.18.4, >= 1.19.0, < 1.19.1
Go/github.com/pomerium/pomeriumfrom 0, < 0.15.1
Go/github.com/pomerium/pomeriumfrom 0, < 0.15.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-39162
PATCHhttps://github.com/pomerium/pomerium
WEBhttps://github.com/envoyproxy/envoy/security/advisories/GHSA-j374-mjrw-vvp8
WEBhttps://github.com/pomerium/pomerium/security/advisories/GHSA-gjcg-vrxg-xmgv
WEBhttps://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ