High severityNVD Advisory· Published Jun 9, 2023· Updated Sep 26, 2024
Denial-of-Service in gRPC
CVE-2023-1428
Description
There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2:
te: x (x != trailers)
:scheme: x (x != http, https)
grpclb_client_stats: x (x == anything)
On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. We recommend upgrading past git commit 2485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.grpc:grpc-protobufMaven | >= 1.51.0, < 1.53.0 | 1.53.0 |
grpcioPyPI | >= 1.51.0, < 1.53.0 | 1.53.0 |
grpcRubyGems | >= 1.51.0, < 1.53.0 | 1.53.0 |
Affected products
17- osv-coords16 versionspkg:apk/chainguard/hivepkg:apk/chainguard/hive-compatpkg:apk/chainguard/stargatepkg:apk/chainguard/wavefront-proxypkg:apk/chainguard/wavefront-proxy-compatpkg:apk/chainguard/wavefront-proxy-configpkg:apk/chainguard/wavefront-proxy-licensespkg:apk/chainguard/wavefront-proxy-oci-entrypointpkg:apk/wolfi/wavefront-proxypkg:apk/wolfi/wavefront-proxy-compatpkg:apk/wolfi/wavefront-proxy-configpkg:apk/wolfi/wavefront-proxy-licensespkg:apk/wolfi/wavefront-proxy-oci-entrypointpkg:gem/grpcpkg:maven/io.grpc/grpc-protobufpkg:pypi/grpcio
< 4.0.1-r1+ 15 more
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 1.0.78-r2
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 13.4-r1
- (no CPE)range: >= 1.51.0, < 1.53.0
- (no CPE)range: >= 1.51.0, < 1.53.0
- (no CPE)range: >= 1.51.0, < 1.53.0
- Google/gRPCv5Range: 1.51
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-6628-q6j9-w8vgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-1428ghsaADVISORY
- github.com/grpc/grpc/commit/2485fa94bd8a723e5c977d55a3ce10b301b437f8ghsaWEB
- github.com/grpc/grpc/issues/33463ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/grpc/CVE-2023-1428.ymlghsaWEB
News mentions
0No linked articles in our index yet.