VYPR
High severityNVD Advisory· Published Jun 9, 2023· Updated Sep 26, 2024

Denial-of-Service in gRPC

CVE-2023-1428

Description

There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2:

te: x (x != trailers)

:scheme: x (x != http, https)

grpclb_client_stats: x (x == anything)

On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. We recommend upgrading past git commit 2485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.grpc:grpc-protobufMaven
>= 1.51.0, < 1.53.01.53.0
grpcioPyPI
>= 1.51.0, < 1.53.01.53.0
grpcRubyGems
>= 1.51.0, < 1.53.01.53.0

Affected products

17

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.