Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, contains two authorization related vulnerabilities CVE-2021-32777 and CVE-2021-32779. This may lead to incorrect routing or authorization policy decisions. With specially crafted requests, incorrect authorization or routing decisions may be made by Pomerium. Pomerium v0.14.8 and v0.15.1 contain an upgraded envoy binary with these vulnerabilities patched. This issue can only be triggered when using path prefix based policy. Removing any such policies should provide mitigation.
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Envoy | Envoyproxy | * | 1.16.5 (excluding) |
Envoy | Envoyproxy | 1.17.0 (including) | 1.17.4 (excluding) |
Envoy | Envoyproxy | 1.18.0 (including) | 1.18.4 (excluding) |
Envoy | Envoyproxy | 1.19.0 (including) | 1.19.0 (including) |
Pomerium | Pomerium | 0.11.0 (including) | 0.14.8 (excluding) |
Pomerium | Pomerium | 0.15.0 (including) | 0.15.0 (including) |
Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user’s privileges and any permissions or other access-control specifications that apply to the resource. When access control checks are incorrectly applied, users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution.