8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-39206

GHSA ID

GHSA-cfc2-wjcm-c8fm

EPSS Score

0.37991%

CWE

CWE-863

Published

9/10/2021

Updated

2/1/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-39206

CVE-2021-39206:
Incorrect Authorization with specially crafted requests

Envoy, which Pomerium is based on, contains two authorization related vulnerabilities:

CVE-2021-32777: incorrectly transform a URL containing a #fragment element, causing a mismatch in path-prefix based authorization decisions.
CVE-2021-32779: incorrectly handle duplicate headers, dropping all but the last. This may lead to incorrect routing or authorization policy decisions.

Impact

With specially crafted requests, incorrect authorization or routing decisions may be made by Pomerium.

Patches

Pomerium v0.14.8 and v0.15.1 contain an upgraded envoy binary with these vulnerabilities patched.

Workarounds

This issue can only be triggered when using path prefix based policy. Removing any such policies should provide mitigation.

References

envoy GSA CVE-2021-32777 envoy GSA CVE-2021-32779 envoy announcement

For more information

If you have any questions or comments about this advisory:

Open an issue in pomerium/pomerium
Email us at security@pomerium.com

(GitHub Advisory)

8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-39206

GHSA ID

GHSA-cfc2-wjcm-c8fm

EPSS Score

0.37991%

CWE

CWE-863

Published

9/10/2021

Updated

2/1/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/pomerium/pomerium	go	>= 0.11.0, < 0.14.8	0.14.8
github.com/pomerium/pomerium	go	= 0.15.0	0.15.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability originates from Envoy's core functionality that Pomerium depends on, not from Pomerium's own codebase. The CVE-2021-32777 and CVE-2021-32779 vulnerabilities exist in Envoy's handling of HTTP headers and URI fragments, specifically in functions related to the ext-authz extension and path normalization logic. However, the provided data does not include Pomerium-specific code or functions that directly implement these flawed behaviors. The vulnerability is mitigated by updating the embedded Envoy binary, not by modifying Pomerium's source code. Thus, no vulnerable functions within the pomerium/pomerium package itself can be identified with high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*nvoy, w*i** Pom*rium is **s** on, *ont*ins two *ut*oriz*tion r*l*t** vuln*r**iliti*s: - [*V*-****-*****](*ttps://*v*.mitr*.or*/**i-*in/*v*n*m*.**i?n*m*=*V*-****-*****): in*orr**tly tr*ns*orm * URL *ont*inin* * `#*r**m*nt` *l*m*nt, **usin* * mism*t*

Reasoning

T** vuln*r**ility ori*in*t*s *rom *nvoy's *or* *un*tion*lity t**t Pom*rium **p*n*s on, not *rom Pom*rium's own *o****s*. T** *V*-****-***** *n* *V*-****-***** vuln*r**iliti*s *xist in *nvoy's **n*lin* o* `*TTP` *****rs *n* URI *r**m*nts, sp**i*i**lly

8.6

Basic Information

Concerned about an active attack path?

CVE-2021-39206: Incorrect Authorization with specially crafted requests

Impact

Patches

Workarounds

References

For more information

8.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-39206:
Incorrect Authorization with specially crafted requests

Vulnerability Intelligence
Miggo AI