cvelist/2021/39xxx/CVE-2021-39162.json

{
    "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-39162",
        "STATE": "PUBLIC",
        "TITLE": "Incorrect handling of H2 GOAWAY + SETTINGS frames"
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "product": {
                        "product_data": [
                            {
                                "product_name": "pomerium",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_value": ">= 0.15.0, < 0.15.1"
                                        }
                                    ]
                                }
                            }
                        ]
                    },
                    "vendor_name": "pomerium"
                }
            ]
        }
    },
    "data_format": "MITRE",
    "data_type": "CVE",
    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. This can lead to a DoS in the presence of untrusted *upstream* servers. 0.15.1 contains an upgraded envoy binary with this vulnerability patched. If only trusted upstreams are configured, there is not substantial risk of this condition being triggered."
            }
        ]
    },
    "impact": {
        "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
            "version": "3.1"
        }
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "CWE-754: Improper Check for Unusual or Exceptional Conditions"
                    }
                ]
            }
        ]
    },
    "references": {
        "reference_data": [
            {
                "name": "https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ",
                "refsource": "MISC",
                "url": "https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ"
            },
            {
                "name": "https://github.com/pomerium/pomerium/security/advisories/GHSA-gjcg-vrxg-xmgv",
                "refsource": "CONFIRM",
                "url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-gjcg-vrxg-xmgv"
            },
            {
                "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-j374-mjrw-vvp8",
                "refsource": "MISC",
                "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-j374-mjrw-vvp8"
            }
        ]
    },
    "source": {
        "advisory": "GHSA-gjcg-vrxg-xmgv",
        "discovery": "UNKNOWN"
    }
}
"-Synchronized-Data." 2021-08-16 21:01:17 +00:00			`{`
			`"CVE_data_meta": {`
Add CVE-2021-39162 for GHSA-gjcg-vrxg-xmgv Add CVE-2021-39162 for GHSA-gjcg-vrxg-xmgv 2021-09-09 22:00:48 +00:00			`"ASSIGNER": "security-advisories@github.com",`
"-Synchronized-Data." 2021-08-16 21:01:17 +00:00			`"ID": "CVE-2021-39162",`
Add CVE-2021-39162 for GHSA-gjcg-vrxg-xmgv Add CVE-2021-39162 for GHSA-gjcg-vrxg-xmgv 2021-09-09 22:00:48 +00:00			`"STATE": "PUBLIC",`
			`"TITLE": "Incorrect handling of H2 GOAWAY + SETTINGS frames"`
"-Synchronized-Data." 2021-08-16 21:01:17 +00:00			`},`
Add CVE-2021-39162 for GHSA-gjcg-vrxg-xmgv Add CVE-2021-39162 for GHSA-gjcg-vrxg-xmgv 2021-09-09 22:00:48 +00:00			`"affects": {`
			`"vendor": {`
			`"vendor_data": [`
			`{`
			`"product": {`
			`"product_data": [`
			`{`
			`"product_name": "pomerium",`
			`"version": {`
			`"version_data": [`
			`{`
			`"version_value": ">= 0.15.0, < 0.15.1"`
			`}`
			`]`
			`}`
			`}`
			`]`
			`},`
			`"vendor_name": "pomerium"`
			`}`
			`]`
			`}`
			`},`
			`"data_format": "MITRE",`
			`"data_type": "CVE",`
			`"data_version": "4.0",`
"-Synchronized-Data." 2021-08-16 21:01:17 +00:00			`"description": {`
			`"description_data": [`
			`{`
			`"lang": "eng",`
"-Synchronized-Data." 2021-09-09 23:00:56 +00:00			`"value": "Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. This can lead to a DoS in the presence of untrusted upstream servers. 0.15.1 contains an upgraded envoy binary with this vulnerability patched. If only trusted upstreams are configured, there is not substantial risk of this condition being triggered."`
"-Synchronized-Data." 2021-08-16 21:01:17 +00:00			`}`
			`]`
Add CVE-2021-39162 for GHSA-gjcg-vrxg-xmgv Add CVE-2021-39162 for GHSA-gjcg-vrxg-xmgv 2021-09-09 22:00:48 +00:00			`},`
			`"impact": {`
			`"cvss": {`
			`"attackComplexity": "LOW",`
			`"attackVector": "NETWORK",`
			`"availabilityImpact": "HIGH",`
			`"baseScore": 8.6,`
			`"baseSeverity": "HIGH",`
			`"confidentialityImpact": "NONE",`
			`"integrityImpact": "NONE",`
			`"privilegesRequired": "NONE",`
			`"scope": "CHANGED",`
			`"userInteraction": "NONE",`
			`"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",`
			`"version": "3.1"`
			`}`
			`},`
			`"problemtype": {`
			`"problemtype_data": [`
			`{`
			`"description": [`
			`{`
			`"lang": "eng",`
			`"value": "CWE-754: Improper Check for Unusual or Exceptional Conditions"`
			`}`
			`]`
			`}`
			`]`
			`},`
			`"references": {`
			`"reference_data": [`
"-Synchronized-Data." 2021-09-09 23:00:56 +00:00			`{`
			`"name": "https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ",`
			`"refsource": "MISC",`
			`"url": "https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ"`
			`},`
Add CVE-2021-39162 for GHSA-gjcg-vrxg-xmgv Add CVE-2021-39162 for GHSA-gjcg-vrxg-xmgv 2021-09-09 22:00:48 +00:00			`{`
			`"name": "https://github.com/pomerium/pomerium/security/advisories/GHSA-gjcg-vrxg-xmgv",`
			`"refsource": "CONFIRM",`
			`"url": "https://github.com/pomerium/pomerium/security/advisories/GHSA-gjcg-vrxg-xmgv"`
			`},`
			`{`
			`"name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-j374-mjrw-vvp8",`
			`"refsource": "MISC",`
			`"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-j374-mjrw-vvp8"`
			`}`
			`]`
			`},`
			`"source": {`
			`"advisory": "GHSA-gjcg-vrxg-xmgv",`
			`"discovery": "UNKNOWN"`
"-Synchronized-Data." 2021-08-16 21:01:17 +00:00			`}`
			`}`