GHSA-m425-mq94-257g

Suggest an improvement
Source
https://github.com/advisories/GHSA-m425-mq94-257g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-m425-mq94-257g/GHSA-m425-mq94-257g.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-m425-mq94-257g
Aliases
Related
Published
2023-10-25T21:17:37Z
Modified
2024-10-22T05:28:47.277637Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
gRPC-Go HTTP/2 Rapid Reset vulnerability
Details

Impact

In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.

Patches

This vulnerability was addressed by #6703 and has been included in patch releases: 1.56.3, 1.57.1, 1.58.3. It is also included in the latest release, 1.59.0.

Along with applying the patch, users should also ensure they are using the grpc.MaxConcurrentStreams server option to apply a limit to the server's resources used for any single connection.

Workarounds

None.

References

6703

References

Affected packages

Go / google.golang.org/grpc

Package

Name
google.golang.org/grpc
View open source insights on deps.dev
Purl
pkg:golang/google.golang.org/grpc

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.56.3

Go / google.golang.org/grpc

Package

Name
google.golang.org/grpc
View open source insights on deps.dev
Purl
pkg:golang/google.golang.org/grpc

Affected ranges

Type
SEMVER
Events
Introduced
1.57.0
Fixed
1.57.1

Go / google.golang.org/grpc

Package

Name
google.golang.org/grpc
View open source insights on deps.dev
Purl
pkg:golang/google.golang.org/grpc

Affected ranges

Type
SEMVER
Events
Introduced
1.58.0
Fixed
1.58.3