ghsa-6628-q6j9-w8vg
Vulnerability from github
Published
2023-07-06 21:15
Modified
2023-07-14 05:11
Severity ?
Summary
gRPC Reachable Assertion issue
Details
There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2:
te: x (x != trailers)
:scheme: x (x != http, https)
grpclb_client_stats: x (x == anything)
On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. We recommend upgrading past git commit 2485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above.
{ "affected": [ { "package": { "ecosystem": "Maven", "name": "io.grpc:grpc-protobuf" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.53.0" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "PyPI", "name": "grpcio" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.53.0" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "RubyGems", "name": "grpc" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.53.0" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2023-1428" ], "database_specific": { "cwe_ids": [ "CWE-617" ], "github_reviewed": true, "github_reviewed_at": "2023-07-06T23:56:28Z", "nvd_published_at": "2023-06-09T11:15:09Z", "severity": "HIGH" }, "details": "There exists an vulnerability causing an abort() to be called in gRPC.\u00a0\nThe following headers cause gRPC\u0027s C++ implementation to abort() when called via http2:\n\nte: x (x != trailers)\n\n:scheme: x (x != http, https)\n\ngrpclb_client_stats: x (x == anything)\n\nOn top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. We recommend upgrading past git commit\u00a02485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above.", "id": "GHSA-6628-q6j9-w8vg", "modified": "2023-07-14T05:11:55Z", "published": "2023-07-06T21:15:08Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1428" }, { "type": "WEB", "url": "https://github.com/grpc/grpc/issues/33463" }, { "type": "WEB", "url": "https://github.com/grpc/grpc/commit/2485fa94bd8a723e5c977d55a3ce10b301b437f8" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/grpc/CVE-2023-1428.yml" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" } ], "summary": "gRPC Reachable Assertion issue" }
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.