CVE-2021-39206

HIGH8.6EPSS 0.16%

Incorrect Authorization with specially crafted requests

Published: 9/10/2021Modified: 2/4/2026
Also known as:GHSA-cfc2-wjcm-c8fmBIT-envoy-2021-39206

Description

Envoy, which Pomerium is based on, contains two authorization related vulnerabilities: - [CVE-2021-32777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32779): incorrectly transform a URL containing a `#fragment` element, causing a mismatch in path-prefix based authorization decisions. - [CVE-2021-32779](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32777): incorrectly handle duplicate headers, dropping all but the last. This may lead to incorrect routing or authorization policy decisions. ### Impact With specially crafted requests, incorrect authorization or routing decisions may be made by Pomerium. ### Patches Pomerium v0.14.8 and v0.15.1 contain an upgraded envoy binary with these vulnerabilities patched. ### Workarounds - This issue can only be triggered when using path prefix based policy. Removing any such policies should provide mitigation. ### References [envoy GSA CVE-2021-32777](https://github.com/envoyproxy/envoy/security/advisories/GHSA-r222-74fw-jqr9) [envoy GSA CVE-2021-32779](https://github.com/envoyproxy/envoy/security/advisories/GHSA-6g4j-5vrw-2m8h) [envoy announcement](https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ) ### For more information If you have any questions or comments about this advisory: * Open an issue in [pomerium/pomerium](https://github.com/pomerium/pomerium/issues) * Email us at [[email protected]](mailto:[email protected])

Affected packages (2)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1HIGH8.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

References (6)