Vulnerability Description
Pomerium is an identity-aware access proxy. In distributed service mode, Pomerium's Authenticate service exposes pprof debug and prometheus metrics handlers to untrusted traffic. This can leak potentially sensitive environmental information or lead to limited denial of service conditions. This issue is patched in version v0.17.1 Workarounds: Block access to `/debug` and `/metrics` paths on the authenticate service. This can be done with any L7 proxy, including Pomerium's own proxy service.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pomerium | Pomerium | >= 0.16.0, < 0.17.1 |
Related Weaknesses (CWE)
References
- https://github.com/pomerium/pomerium/commit/b435f73e2b54088da2aca5e8c3aa1808293dPatchThird Party Advisory
- https://github.com/pomerium/pomerium/pull/3212Issue TrackingPatchThird Party Advisory
- https://github.com/pomerium/pomerium/security/advisories/GHSA-q98f-2x4p-prjrMitigationThird Party Advisory
- https://github.com/pomerium/pomerium/commit/b435f73e2b54088da2aca5e8c3aa1808293dPatchThird Party Advisory
- https://github.com/pomerium/pomerium/pull/3212Issue TrackingPatchThird Party Advisory
- https://github.com/pomerium/pomerium/security/advisories/GHSA-q98f-2x4p-prjrMitigationThird Party Advisory
FAQ
What is CVE-2022-24797?
CVE-2022-24797 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Pomerium is an identity-aware access proxy. In distributed service mode, Pomerium's Authenticate service exposes pprof debug and prometheus metrics handlers to untrusted traffic. This can leak potenti...
How severe is CVE-2022-24797?
CVE-2022-24797 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-24797?
Check the references section above for vendor advisories and patch information. Affected products include: Pomerium Pomerium.