Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-32731

Good to know:

icon

Date: June 9, 2023

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in  https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005

Language: Ruby

Severity Score

Related Resources (10)

https://github.com/grpc/grpc/releases/tag/v1.54.2
https://nvd.nist.gov/vuln/detail/CVE-2023-32731
https://github.com/grpc/grpc/pull/32309
https://github.com/grpc/grpc/commit/29d8beee0ac2555773b2a2dda5601c74a95d6c10
https://github.com/grpc/grpc/issues/33463
https://github.com/grpc/grpc/pull/33005
https://github.com/grpc/grpc/commit/65a2a895afaf1d2072447b9baf246374b182a946
https://github.com/grpc/grpc/releases/tag/v1.53.1
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/grpc/CVE-2023-32731.yml
https://www.mend.io/vulnerability-database/CVE-2023-32731

Severity Score

Weakness Type (CWE)

Expected Behavior Violation

CWE-440

Top Fix

icon

Upgrade Version

Upgrade to version grpcio - 1.53.1;grpcio - 1.54.2;grpc - 1.54.2;grpc - 1.53.1;io.grpc:grpc-protobuf:1.54.2

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): HIGH

Do you need more information?

Contact Us