Cyber Resilience

CVE-2021-39204

HighDDoS

Published: 09 September 2021

Published
09 September 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0041 61.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-39204 is a high-severity Excessive Iteration (CWE-834) vulnerability in Envoyproxy Envoy. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 38.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, incorrectly handles resetting of HTTP/2 streams with excessive complexity. This can lead to high CPU utilization when a large number of streams are reset. This can…

more

result in a DoS condition. Pomerium versions 0.14.8 and 0.15.1 contain an upgraded envoy binary with this vulnerability patched.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

envoyproxy
envoy
1.19.0 · ≤ 1.16.4 · 1.17.0 — 1.17.4 · 1.18.0 — 1.18.4
pomerium
pomerium
0.15.0 · ≤ 0.14.8

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References