What is CVE-2021-39206?

CVE-2021-39206 is a vulnerability in Pomerium, an open source identity-aware access proxy, that is caused by two authorization vulnerabilities in the underlying Envoy proxy (CVE-2021-32777 and CVE-2021-32779).

How does CVE-2021-39206 affect Envoy?

CVE-2021-39206 affects Envoy versions 1.16.5 up to and including 1.19.0, which are used by Pomerium. It may lead to incorrect routing or authorization policy decisions.

How does CVE-2021-39206 impact Pomerium?

CVE-2021-39206 impacts Pomerium versions 0.11.0 up to and including 0.15.0, as they rely on the affected Envoy versions. It may result in incorrect authorization due to specially crafted requests.

What is the severity of CVE-2021-39206?

CVE-2021-39206 has a severity score of 8.6 (high).

How can I fix CVE-2021-39206 in Pomerium?

To fix CVE-2021-39206 in Pomerium, you should update to a version that includes a patched version of Envoy (higher than 1.19.0) and has fixed the vulnerability.

Vulnerability/
CVE-2021-39206

high

8.6

CWE

863

9/9/2021

4/8/2024

CVE-2021-39206: Incorrect Authorization with specially crafted requests

First published: Thu Sep 09 2021(Updated: )

Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, contains two authorization related vulnerabilities CVE-2021-32777 and CVE-2021-32779. This may lead to incorrect routing or authorization policy decisions. With specially crafted requests, incorrect authorization or routing decisions may be made by Pomerium. Pomerium v0.14.8 and v0.15.1 contain an upgraded envoy binary with these vulnerabilities patched. This issue can only be triggered when using path prefix based policy. Removing any such policies should provide mitigation.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Envoyproxy Envoy	<1.16.5
Envoyproxy Envoy	>=1.17.0<1.17.4
Envoyproxy Envoy	>=1.18.0<1.18.4
Envoyproxy Envoy	=1.19.0
Pomerium Pomerium	>=0.11.0<0.14.8
Pomerium Pomerium	=0.15.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2021-39206?
CVE-2021-39206 is a vulnerability in Pomerium, an open source identity-aware access proxy, that is caused by two authorization vulnerabilities in the underlying Envoy proxy (CVE-2021-32777 and CVE-2021-32779).
How does CVE-2021-39206 affect Envoy?
CVE-2021-39206 affects Envoy versions 1.16.5 up to and including 1.19.0, which are used by Pomerium. It may lead to incorrect routing or authorization policy decisions.
How does CVE-2021-39206 impact Pomerium?
CVE-2021-39206 impacts Pomerium versions 0.11.0 up to and including 0.15.0, as they rely on the affected Envoy versions. It may result in incorrect authorization due to specially crafted requests.
What is the severity of CVE-2021-39206?
CVE-2021-39206 has a severity score of 8.6 (high).
How can I fix CVE-2021-39206 in Pomerium?
To fix CVE-2021-39206 in Pomerium, you should update to a version that includes a patched version of Envoy (higher than 1.19.0) and has fixed the vulnerability.

collector/nvd-index
agent/references
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/title
agent/weakness
agent/author
agent/severity
agent/tags
agent/description
agent/first-publish-date
agent/event
vendor/envoyproxy
canonical/envoyproxy envoy
version/envoyproxy envoy/1.17.0
version/envoyproxy envoy/1.18.0
version/envoyproxy envoy/1.19.0
vendor/pomerium
canonical/pomerium pomerium
version/pomerium pomerium/0.11.0
version/pomerium pomerium/0.15.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.