Description
Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. This can lead to a DoS in the presence of untrusted *upstream* servers. 0.15.1 contains an upgraded envoy binary with this vulnerability patched. If only trusted upstreams are configured, there is not substantial risk of this condition being triggered.
Remediation
References
Related Vulnerabilities
Moodle Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2011-4281)
Drupal Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-5267)
WordPress Plugin Wp-Pro-Quiz Cross-Site Request Forgery (0.37)
WordPress Plugin Alert Before Your Post Cross-Site Scripting (0.1.1)
Oracle Application Server Other Vulnerability (CVE-2007-0284)