CVE-2021-39204 : Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is

Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, incorrectly handles resetting of HTTP/2 streams with excessive complexity. This can lead to high CPU utilization when a large number of streams are reset. This can result in a DoS condition. Pomerium versions 0.14.8 and 0.15.1 contain an upgraded envoy binary with this vulnerability patched.

Published 2021-09-09 22:15:10

Updated 2021-09-27 18:30:56

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2021-39204

Envoyproxy » Envoy
Versions up to, including, (<=) 1.16.4
cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
Matching versions
Envoyproxy » Envoy
Versions from including (>=) 1.17.0 and before (<) 1.17.4
cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
Matching versions
Envoyproxy » Envoy
Versions from including (>=) 1.18.0 and before (<) 1.18.4
cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
Matching versions
Envoyproxy » Envoy » Version: 1.19.0
cpe:2.3:a:envoyproxy:envoy:1.19.0:*:*:*:*:*:*:*
Matching versions
Pomerium » Pomerium
Versions before (<) 0.14.8
cpe:2.3:a:pomerium:pomerium:*:*:*:*:*:*:*:*
Matching versions
Pomerium » Pomerium » Version: 0.15.0
cpe:2.3:a:pomerium:pomerium:0.15.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-39204

EPSS FAQ

0.41%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 58 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-39204

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2021-39204

CWE-834 Excessive Iteration

The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.
Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)

References for CVE-2021-39204

https://github.com/pomerium/pomerium/security/advisories/GHSA-5wjf-62hw-q78r

Excessive CPU usage · Advisory · pomerium/pomerium · GitHub
Third Party Advisory
https://github.com/envoyproxy/envoy/security/advisories/GHSA-3xh3-33v5-chcc

Excessive CPU utilization when closing HTTP/2 streams · Advisory · envoyproxy/envoy · GitHub
Third Party Advisory

CVEs referencing this url
https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ

Security releases of Envoy 1.19.1, 1.18.4, 1.17.4, and 1.16.5 are now available
Not Applicable

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2021-39204

Products affected by CVE-2021-39204

Exploit prediction scoring system (EPSS) score for CVE-2021-39204

CVSS scores for CVE-2021-39204

CWE ids for CVE-2021-39204

References for CVE-2021-39204