Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/pomerium/pomerium: GHSA-cfc2-wjcm-c8fm #1359

Closed
GoVulnBot opened this issue Jan 9, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/pomerium/pomerium: GHSA-cfc2-wjcm-c8fm #1359

GoVulnBot opened this issue Jan 9, 2023 · 1 comment
Labels
duplicate

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-cfc2-wjcm-c8fm, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/pomerium/pomerium 0.15.1 = 0.15.0

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - introduced: TODO (earliest fixed "0.15.1", vuln range "= 0.15.0")
    packages:
      - package: github.com/pomerium/pomerium
  - module: TODO
    versions:
      - introduced: 0.11.0
        fixed: 0.14.8
    packages:
      - package: github.com/pomerium/pomerium
description: |
    Envoy, which Pomerium is based on, contains two authorization related vulnerabilities:

    - [CVE-2021-32777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32779): incorrectly transform a URL containing a `#fragment` element, causing a mismatch in path-prefix based authorization decisions.
    - [CVE-2021-32779](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32777): incorrectly handle duplicate headers, dropping all but the last.  This may lead to incorrect routing or authorization policy decisions.

    ### Impact
    With specially crafted requests, incorrect authorization or routing decisions may be made by Pomerium.

    ### Patches

    Pomerium v0.14.8 and v0.15.1 contain an upgraded envoy binary with these vulnerabilities patched.

    ### Workarounds

    - This issue can only be triggered when using path prefix based policy.  Removing any such policies should provide mitigation.


    ### References
    [envoy GSA CVE-2021-32777](https://github.com/envoyproxy/envoy/security/advisories/GHSA-r222-74fw-jqr9)
    [envoy GSA CVE-2021-32779](https://github.com/envoyproxy/envoy/security/advisories/GHSA-6g4j-5vrw-2m8h)
    [envoy announcement](https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ)

    ### For more information
    If you have any questions or comments about this advisory:
    * Open an issue in [pomerium/pomerium](https://github.com/pomerium/pomerium/issues)
    * Email us at [security@pomerium.com](mailto:security@pomerium.com)
cves:
  - CVE-2021-39206
ghsas:
  - GHSA-cfc2-wjcm-c8fm
@tatianab
Copy link
Contributor

tatianab commented Jan 9, 2023

Duplicate of #897

@tatianab tatianab closed this as completed Jan 9, 2023
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tatianab @GoVulnBot