Description
Pomerium is an identity-aware access proxy. In distributed service mode, Pomerium's Authenticate service exposes pprof debug and prometheus metrics handlers to untrusted traffic. This can leak potentially sensitive environmental information or lead to limited denial of service conditions. This issue is patched in version v0.17.1 Workarounds: Block access to `/debug` and `/metrics` paths on the authenticate service. This can be done with any L7 proxy, including Pomerium's own proxy service.
References (3)
Core 3
Core References
Mitigation, Third Party Advisory x_refsource_confirm
https://github.com/pomerium/pomerium/security/advisories/GHSA-q98f-2x4p-prjr
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/pomerium/pomerium/pull/3212
Patch, Third Party Advisory x_refsource_misc
https://github.com/pomerium/pomerium/commit/b435f73e2b54088da2aca5e8c3aa1808293d6903
Scores
CVSS v3
6.5
EPSS
0.0047
EPSS Percentile
64.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (2)
pomerium/pomerium
0.16.0 - 0.17.1
pomerium/pomerium
0.16.0 - 0.17.1Go
Published
Mar 31, 2022
Tracked Since
Feb 18, 2026