CVE-2022-24797: Exposure of debug and metrics endpoints in Pomerium
In distributed service mode, Pomerium’s Authenticate service exposes pprof debug and prometheus metrics handlers to untrusted traffic. This can leak potentially sensitive environmental information or lead to limited denial of service conditions.
References
- github.com/advisories/GHSA-q98f-2x4p-prjr
- github.com/pomerium/pomerium
- github.com/pomerium/pomerium/commit/b435f73e2b54088da2aca5e8c3aa1808293d6903
- github.com/pomerium/pomerium/pull/3212
- github.com/pomerium/pomerium/security/advisories/GHSA-q98f-2x4p-prjr
- nvd.nist.gov/vuln/detail/CVE-2022-24797
- pkg.go.dev/vuln/GO-2022-0413
Code Behaviors & Features
Detect and mitigate CVE-2022-24797 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →