{"id":"GHSA-cfc2-wjcm-c8fm","summary":"Incorrect Authorization with specially crafted requests","details":"Envoy, which Pomerium is based on, contains two authorization related vulnerabilities:\n\n- [CVE-2021-32777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32779): incorrectly transform a URL containing a `#fragment` element, causing a mismatch in path-prefix based authorization decisions.\n- [CVE-2021-32779](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32777): incorrectly handle duplicate headers, dropping all but the last.  This may lead to incorrect routing or authorization policy decisions.\n\n### Impact\nWith specially crafted requests, incorrect authorization or routing decisions may be made by Pomerium.\n\n### Patches\n\nPomerium v0.14.8 and v0.15.1 contain an upgraded envoy binary with these vulnerabilities patched.\n\n### Workarounds\n\n- This issue can only be triggered when using path prefix based policy.  Removing any such policies should provide mitigation.\n\n\n### References\n[envoy GSA CVE-2021-32777](https://github.com/envoyproxy/envoy/security/advisories/GHSA-r222-74fw-jqr9)\n[envoy GSA CVE-2021-32779](https://github.com/envoyproxy/envoy/security/advisories/GHSA-6g4j-5vrw-2m8h)\n[envoy announcement](https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [pomerium/pomerium](https://github.com/pomerium/pomerium/issues)\n* Email us at [security@pomerium.com](mailto:security@pomerium.com)\n","aliases":["BIT-envoy-2021-39206","CVE-2021-39206"],"modified":"2026-01-30T00:34:08.154744Z","published":"2021-09-10T17:54:25Z","related":["CVE-2021-39206"],"database_specific":{"cwe_ids":["CWE-863"],"github_reviewed":true,"severity":"HIGH","github_reviewed_at":"2021-09-10T16:40:43Z","nvd_published_at":"2021-09-09T23:15:00Z"},"references":[{"type":"WEB","url":"https://github.com/envoyproxy/envoy/security/advisories/GHSA-6g4j-5vrw-2m8h"},{"type":"WEB","url":"https://github.com/envoyproxy/envoy/security/advisories/GHSA-r222-74fw-jqr9"},{"type":"WEB","url":"https://github.com/pomerium/pomerium/security/advisories/GHSA-cfc2-wjcm-c8fm"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39206"},{"type":"PACKAGE","url":"https://github.com/pomerium/pomerium"},{"type":"WEB","url":"https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ"}],"affected":[{"package":{"name":"github.com/pomerium/pomerium","ecosystem":"Go","purl":"pkg:golang/github.com/pomerium/pomerium"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.11.0"},{"fixed":"0.14.8"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-cfc2-wjcm-c8fm/GHSA-cfc2-wjcm-c8fm.json"}},{"package":{"name":"github.com/pomerium/pomerium","ecosystem":"Go","purl":"pkg:golang/github.com/pomerium/pomerium"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.15.0"},{"fixed":"0.15.1"}]}],"versions":["0.15.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-cfc2-wjcm-c8fm/GHSA-cfc2-wjcm-c8fm.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"}]}