PyPI package
grpcio
pkg:pypi/grpcio
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-4785 | Hig | 7.5 | >= 1.55.0, < 1.55.3 | 1.55.3 | Sep 13, 2023 | Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are aff | |
| CVE-2023-33953 | Hig | 7.5 | < 1.53.2 | 1.53.2 | Aug 9, 2023 | gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounde | |
| CVE-2023-32732 | Med | 5.3 | >= 1.53.0, < 1.53.1 | 1.53.1 | Jun 9, 2023 | gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recom | |
| CVE-2023-32731 | Hig | 7.4 | >= 1.53.0, < 1.53.1 | 1.53.1 | Jun 9, 2023 | When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy an | |
| CVE-2023-1428 | Hig | 7.5 | >= 1.51.0, < 1.53.0 | 1.53.0 | Jun 9, 2023 | There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of |
- affected >= 1.55.0, < 1.55.3fixed 1.55.3
Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are aff
- affected < 1.53.2fixed 1.53.2
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounde
- affected >= 1.53.0, < 1.53.1fixed 1.53.1
gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recom
- affected >= 1.53.0, < 1.53.1fixed 1.53.1
When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy an
- affected >= 1.51.0, < 1.53.0fixed 1.53.0
There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of