N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-j34v-3552-5r7j

EPSS Score

CWE

Published

3/1/2022

Updated

1/11/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-j34v-3552-5r7j

GHSA-j34v-3552-5r7j: Multiple security issues in Pomerium's embedded envoy

Envoy, which Pomerium is based on, has issued multiple CVEs impacting stability and security.

Though Pomerium may not be vulnerable to all of the issues, it is recommended that all users upgrade to Pomerium v0.16.4 as soon as possible to minimize risk.

Impact

Possible DoS or crash
Resources available to unauthorized users
Pomerium may trust upstream certificates that should not be trusted

Patches

Patched in v0.16.4

Workarounds

References

Envoy Security Announcement

CVE-2021-43824 (CVSS Score 6.5, Medium): Envoy 1.21.0 and earlier - Potential null pointer dereference when using JWT filter safe_regex match
CVE-2021-43825 (CVSS Score 6.1, Medium): Envoy 1.21.0 and earlier - Use-after-free when response filters increase response data, and increased data exceeds downstream buffer limits.
CVE-2021-43826 (CVSS Score 6.1, Medium): Envoy 1.21.0 and earlier - Use-after-free when tunneling TCP over HTTP, if downstream disconnects during upstream connection establishment
CVE-2022-21654 (CVSS Score 7.3, High): Envoy 1.7.0 and later - Incorrect configuration handling allows mTLS session re-use without re-validation after validation settings have changed.
CVE-2022-21655 (CVSS Score 7.5, High): Envoy 1.21 and earlier - Incorrect handling of internal redirects to routes with a direct response entry
CVE-2022-21657 (CVSS Score 3.1, Low): Envoy 1.20.1 and earlier - X.509 Extended Key Usage and Trust Purposes bypass

For more information

If you have any questions or comments about this advisory:

Open an issue in pomerium/pomerium Email us at security@pomerium.com

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-j34v-3552-5r7j

EPSS Score

CWE

Published

3/1/2022

Updated

1/11/2023

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/pomerium/pomerium	go	< 0.16.4	0.16.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The provided vulnerability information describes issues in Envoy (a dependency of Pomerium), but does not include specific code references, commit diffs, or function names within the Pomerium codebase itself. The advisory explicitly states Pomerium 'may not be vulnerable to all of the issues' and recommends upgrading the entire component. Without concrete evidence of vulnerable Pomerium-specific functions or code modifications related to these CVEs, we cannot confidently identify specific functions in github.com/pomerium/pomerium that implement the vulnerable Envoy functionality. The fix appears to involve updating the embedded Envoy dependency rather than modifying Pomerium's own functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*nvoy, w*i** Pom*rium is **s** on, **s issu** multipl* *V*s imp**tin* st**ility *n* s**urity. T*ou** Pom*rium m*y not ** vuln*r**l* to *ll o* t** issu*s, it is r**omm*n*** t**t *ll us*rs up*r*** to Pom*rium v*.**.* *s soon *s possi*l* to minimiz* ri

Reasoning

T** provi*** vuln*r**ility in*orm*tion **s*ri**s issu*s in *nvoy (* **p*n**n*y o* Pom*rium), *ut *o*s not in*lu** sp**i*i* *o** r***r*n**s, *ommit *i**s, or *un*tion n*m*s wit*in t** Pom*rium *o****s* its*l*. T** **visory *xpli*itly st*t*s Pom*rium '

N/A

Basic Information

Concerned about an active attack path?

GHSA-j34v-3552-5r7j: Multiple security issues in Pomerium's embedded envoy

Impact

Patches

Workarounds

References

For more information

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI