CVE-2022-24797: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in pomerium pomerium
Pomerium is an identity-aware access proxy. In distributed service mode, Pomerium's Authenticate service exposes pprof debug and prometheus metrics handlers to untrusted traffic. This can leak potentially sensitive environmental information or lead to limited denial of service conditions. This issue is patched in version v0.17.1 Workarounds: Block access to `/debug` and `/metrics` paths on the authenticate service. This can be done with any L7 proxy, including Pomerium's own proxy service.
AI Analysis
Technical Summary
CVE-2022-24797 is a vulnerability identified in Pomerium, an identity-aware access proxy widely used to secure internal applications by enforcing authentication and authorization policies. Specifically, the flaw exists in Pomerium versions from v0.16.0 up to but not including v0.17.1. In distributed service mode, the Authenticate service component inadvertently exposes debug endpoints (`/debug`) powered by pprof and Prometheus metrics endpoints (`/metrics`) to untrusted external traffic. These endpoints are intended for internal diagnostics and monitoring and can reveal sensitive environmental information such as runtime profiling data, memory usage, goroutine stacks, and potentially other metadata about the service environment. This exposure constitutes an information disclosure vulnerability categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). While the vulnerability does not directly allow remote code execution or privilege escalation, the leaked information could aid attackers in crafting targeted attacks or reconnaissance activities. Additionally, the exposed endpoints could be abused to induce limited denial of service conditions by overwhelming the service with profiling or metrics requests. The issue has been addressed in Pomerium version v0.17.1, where access to these sensitive endpoints is properly restricted. Until patching, mitigation can be achieved by blocking access to the `/debug` and `/metrics` paths on the Authenticate service using any Layer 7 proxy, including Pomerium's own proxy capabilities. There are no known exploits in the wild as of the published date, but the exposure of internal diagnostic endpoints to untrusted networks represents a significant security risk if left unmitigated.
Potential Impact
For European organizations, the exposure of sensitive internal diagnostic information through Pomerium's Authenticate service can have several adverse impacts. Confidentiality is compromised as attackers or unauthorized actors may gain insights into the internal workings, environment variables, and runtime state of critical authentication infrastructure. This information can facilitate further attacks such as privilege escalation, lateral movement, or targeted exploitation of other vulnerabilities. Integrity risks arise indirectly if attackers leverage the disclosed information to manipulate or disrupt authentication flows. Availability may be impacted due to potential denial of service conditions triggered by abuse of the exposed endpoints, which could degrade or interrupt access to protected applications. Organizations relying on Pomerium for securing internal applications, especially those in regulated sectors such as finance, healthcare, or critical infrastructure, face increased compliance and operational risks. The vulnerability is particularly concerning in multi-tenant or cloud environments where exposure of environment-specific data can lead to cross-tenant attacks or leakage of sensitive configuration details. Although no active exploitation is reported, the presence of this vulnerability increases the attack surface and may attract adversaries conducting reconnaissance or probing for weaknesses in European enterprise networks.
Mitigation Recommendations
To effectively mitigate CVE-2022-24797, European organizations should prioritize upgrading Pomerium to version v0.17.1 or later, where the vulnerability is fully patched. If immediate upgrading is not feasible, organizations must implement strict access controls at the Layer 7 proxy level to block all external access to the `/debug` and `/metrics` endpoints on the Authenticate service. This can be done by configuring Pomerium's own proxy or any other reverse proxy (e.g., NGINX, Envoy) to deny requests targeting these paths from untrusted networks. Additionally, network segmentation should be enforced to restrict access to internal diagnostic endpoints only to trusted monitoring or administrative hosts. Organizations should audit their Pomerium deployment configurations to ensure that debug and metrics handlers are not inadvertently exposed beyond intended internal boundaries. Monitoring and alerting should be established to detect unusual access patterns or spikes in requests to these endpoints, which could indicate reconnaissance or abuse attempts. Finally, organizations should review environment variable management and avoid embedding sensitive secrets in environment variables that could be exposed via profiling endpoints.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Belgium, Italy, Spain
CVE-2022-24797: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in pomerium pomerium
Description
Pomerium is an identity-aware access proxy. In distributed service mode, Pomerium's Authenticate service exposes pprof debug and prometheus metrics handlers to untrusted traffic. This can leak potentially sensitive environmental information or lead to limited denial of service conditions. This issue is patched in version v0.17.1 Workarounds: Block access to `/debug` and `/metrics` paths on the authenticate service. This can be done with any L7 proxy, including Pomerium's own proxy service.
AI-Powered Analysis
Technical Analysis
CVE-2022-24797 is a vulnerability identified in Pomerium, an identity-aware access proxy widely used to secure internal applications by enforcing authentication and authorization policies. Specifically, the flaw exists in Pomerium versions from v0.16.0 up to but not including v0.17.1. In distributed service mode, the Authenticate service component inadvertently exposes debug endpoints (`/debug`) powered by pprof and Prometheus metrics endpoints (`/metrics`) to untrusted external traffic. These endpoints are intended for internal diagnostics and monitoring and can reveal sensitive environmental information such as runtime profiling data, memory usage, goroutine stacks, and potentially other metadata about the service environment. This exposure constitutes an information disclosure vulnerability categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). While the vulnerability does not directly allow remote code execution or privilege escalation, the leaked information could aid attackers in crafting targeted attacks or reconnaissance activities. Additionally, the exposed endpoints could be abused to induce limited denial of service conditions by overwhelming the service with profiling or metrics requests. The issue has been addressed in Pomerium version v0.17.1, where access to these sensitive endpoints is properly restricted. Until patching, mitigation can be achieved by blocking access to the `/debug` and `/metrics` paths on the Authenticate service using any Layer 7 proxy, including Pomerium's own proxy capabilities. There are no known exploits in the wild as of the published date, but the exposure of internal diagnostic endpoints to untrusted networks represents a significant security risk if left unmitigated.
Potential Impact
For European organizations, the exposure of sensitive internal diagnostic information through Pomerium's Authenticate service can have several adverse impacts. Confidentiality is compromised as attackers or unauthorized actors may gain insights into the internal workings, environment variables, and runtime state of critical authentication infrastructure. This information can facilitate further attacks such as privilege escalation, lateral movement, or targeted exploitation of other vulnerabilities. Integrity risks arise indirectly if attackers leverage the disclosed information to manipulate or disrupt authentication flows. Availability may be impacted due to potential denial of service conditions triggered by abuse of the exposed endpoints, which could degrade or interrupt access to protected applications. Organizations relying on Pomerium for securing internal applications, especially those in regulated sectors such as finance, healthcare, or critical infrastructure, face increased compliance and operational risks. The vulnerability is particularly concerning in multi-tenant or cloud environments where exposure of environment-specific data can lead to cross-tenant attacks or leakage of sensitive configuration details. Although no active exploitation is reported, the presence of this vulnerability increases the attack surface and may attract adversaries conducting reconnaissance or probing for weaknesses in European enterprise networks.
Mitigation Recommendations
To effectively mitigate CVE-2022-24797, European organizations should prioritize upgrading Pomerium to version v0.17.1 or later, where the vulnerability is fully patched. If immediate upgrading is not feasible, organizations must implement strict access controls at the Layer 7 proxy level to block all external access to the `/debug` and `/metrics` endpoints on the Authenticate service. This can be done by configuring Pomerium's own proxy or any other reverse proxy (e.g., NGINX, Envoy) to deny requests targeting these paths from untrusted networks. Additionally, network segmentation should be enforced to restrict access to internal diagnostic endpoints only to trusted monitoring or administrative hosts. Organizations should audit their Pomerium deployment configurations to ensure that debug and metrics handlers are not inadvertently exposed beyond intended internal boundaries. Monitoring and alerting should be established to detect unusual access patterns or spikes in requests to these endpoints, which could indicate reconnaissance or abuse attempts. Finally, organizations should review environment variable management and avoid embedding sensitive secrets in environment variables that could be exposed via profiling endpoints.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-02-10T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9843c4522896dcbf2bc1
Added to database: 5/21/2025, 9:09:23 AM
Last enriched: 6/23/2025, 11:36:08 AM
Last updated: 8/17/2025, 10:11:55 AM
Views: 15
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.