CVE-2021-39206: 
NixOS vulnerability analysis and mitigation

Pomerium, an open source identity-aware access proxy based on Envoy, was found to contain authorization-related vulnerabilities (CVE-2021-39206) that could lead to incorrect routing or authorization policy decisions. The vulnerability was disclosed on September 9, 2021, affecting Pomerium versions 0.11.0-0.14.7 and 0.15.0. The issue stems from two underlying Envoy vulnerabilities (CVE-2021-32777 and CVE-2021-32779) related to URL fragment handling and duplicate header processing (Pomerium Advisory).

The vulnerability consists of two main components: 1) Incorrect transformation of URLs containing #fragment elements, causing mismatches in path-prefix based authorization decisions, and 2) Improper handling of duplicate headers, where all but the last header value are dropped. These issues could allow specially crafted requests to bypass authorization controls or trigger incorrect routing decisions (Envoy Announce).

When exploited, this vulnerability could allow attackers to bypass authorization controls and make incorrect routing or authorization policy decisions through specially crafted requests. The impact is particularly significant when using path prefix based policy configurations (Pomerium Advisory).

The vulnerability has been patched in Pomerium versions 0.14.8 and 0.15.1, which contain an upgraded Envoy binary with these vulnerabilities addressed. As a temporary workaround, users can remove any path prefix based policies to mitigate the risk (Pomerium Advisory).