-
-
Notifications
You must be signed in to change notification settings - Fork 221
/
Copy pathCVE-2023-32731.yml
29 lines (29 loc) · 1.13 KB
/
CVE-2023-32731.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
---
gem: grpc
cve: 2023-32731
ghsa: cfgp-2977-2fmm
url: https://github.com/grpc/grpc/issues/33463
title: Connection confusion in gRPC
date: 2023-07-05
description: |
When gRPC HTTP2 stack raised a header size exceeded error, it
skipped parsing the rest of the HPACK frame. This caused any HPACK
table mutations to also be skipped, resulting in a desynchronization
of HPACK tables between sender and receiver. If leveraged, say,
between a proxy and a backend, this could lead to requests from the
proxy being interpreted as containing headers from different
proxy clients
- leading to an information leak that can be used for privilege
escalation or data exfiltration. We recommend upgrading beyond
the commit contained in https://github.com/grpc/grpc/pull/32309
cvss_v3: 7.5
patched_versions:
- ">= 1.53.1"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2023-32731
- https://github.com/grpc/grpc/releases/tag/v1.53.1
- https://github.com/grpc/grpc/issues/33463
- https://github.com/grpc/grpc/pull/33005
- https://github.com/grpc/grpc/pull/32309
- https://github.com/advisories/GHSA-cfgp-2977-2fmm