MidnightBSD

Advisories for grpc

CVE-2017-7860 HIGH

Google gRPC before 2017-02-22 has an out-of-bounds write caused by a heap-based buffer overflow related to the parse_unix function in core/ext/client_channel/parse_address.c.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
grpc grpc *
CVE-2017-7861 HIGH

Google gRPC before 2017-02-22 has an out-of-bounds write related to the gpr_free function in core/lib/support/alloc.c.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
grpc grpc *
CVE-2017-8359 HIGH

Google gRPC before 2017-03-29 has an out-of-bounds write caused by a heap-based use-after-free related to the grpc_call_destroy function in core/lib/surface/call.c.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
grpc grpc *
CVE-2017-9431 HIGH

Google gRPC before 2017-04-05 has an out-of-bounds write caused by a heap-based buffer overflow related to core/lib/iomgr/error.c.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
grpc grpc *
CVE-2020-7768 MEDIUM

The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-1321,

Products Affected

Vendor Product Version
grpc grpc *
CVE-2023-1428

There exists an vulnerability causing an abort() to be called in gRPC.  The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. We recommend upgrading past git commit 2485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-coordination@google.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
grpc grpc *
CVE-2023-32731

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in  https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-coordination@google.com 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H 2.2 5.2

Products Affected

Vendor Product Version
grpc grpc *
CVE-2023-32732

gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in  https://github.com/grpc/grpc/pull/32309 https://www.google.com/url

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-coordination@google.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

Products Affected

Vendor Product Version
grpc grpc *
fedoraproject fedora 37
fedoraproject fedora 38
CVE-2023-33953

gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc…

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-coordination@google.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
grpc grpc *
CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
redhat jboss_fuse 7.0.0
f5 big-ip_local_traffic_manager 17.1.0
redhat 3scale_api_management_platform 2.0
redhat node_maintenance_operator -
cisco connected_mobile_experiences *
redhat service_interconnect 1.0
redhat openshift_pipelines -
caddyserver caddy *
redhat integration_camel_k -
apache tomcat *
f5 nginx_ingress_controller *
microsoft windows_10_21h2 *
microsoft windows_10_22h2 *
cisco iot_field_network_director *
openresty openresty *
redhat enterprise_linux 8.0
cisco ios_xr *
apple swiftnio_http/2 *
cisco prime_network_registrar *
cisco unified_contact_center_domain_manager -
f5 big-ip_domain_name_system 17.1.0
cisco ios_xe *
redhat logging_subsystem_for_red_hat_openshift -
envoyproxy envoy 1.26.4
redhat fence_agents_remediation_operator -
dena h2o *
f5 big-ip_application_security_manager 17.1.0
akka http_server *
redhat node_healthcheck_operator -
grpc grpc *
f5 big-ip_application_visibility_and_reporting *
f5 big-ip_websafe 17.1.0
netapp astra_control_center -
microsoft cbl-mariner *
f5 big-ip_ssl_orchestrator 17.1.0
grpc grpc 1.57.0
linkerd linkerd 2.14.0
f5 big-ip_advanced_web_application_firewall *
cisco expressway *
redhat jboss_data_grid 7.0.0
redhat jboss_enterprise_application_platform 7.0.0
f5 nginx_plus *
redhat run_once_duration_override_operator -
redhat web_terminal -
ietf http 2.0
redhat integration_service_registry -
microsoft windows_server_2016 -
redhat decision_manager 7.0
f5 nginx_plus r29
redhat single_sign-on 7.0
microsoft windows_10_1607 *
redhat openshift_dev_spaces -
f5 big-ip_fraud_protection_service *
microsoft asp.net_core *
apache solr *
redhat jboss_core_services -
kazu-yamamoto http2 *
cisco telepresence_video_communication_server *
konghq kong_gateway *
f5 big-ip_fraud_protection_service 17.1.0
redhat openshift_developer_tools_and_services -
f5 big-ip_link_controller *
f5 big-ip_next 20.0.1
cisco unified_attendant_console_advanced -
f5 big-ip_webaccelerator 17.1.0
redhat satellite 6.0
f5 big-ip_ddos_hybrid_defender *
redhat ceph_storage 5.0
f5 big-ip_advanced_firewall_manager 17.1.0
cisco unified_contact_center_management_portal -
golang networking *
redhat migration_toolkit_for_containers -
microsoft windows_server_2019 -
cisco prime_cable_provisioning *
netty netty *
f5 big-ip_application_security_manager *
redhat build_of_quarkus -
nghttp2 nghttp2 *
apache apisix *
f5 big-ip_application_visibility_and_reporting 17.1.0
debian debian_linux 11.0
f5 big-ip_link_controller 17.1.0
redhat advanced_cluster_security 4.0
redhat enterprise_linux 6.0
redhat self_node_remediation_operator -
fedoraproject fedora 38
microsoft .net *
cisco crosswork_zero_touch_provisioning *
redhat machine_deletion_remediation_operator -
redhat openshift_container_platform_assisted_installer -
microsoft windows_10_1809 *
cisco ultra_cloud_core_-_policy_control_function 2024.01.0
cisco ultra_cloud_core_-_policy_control_function *
cisco unified_contact_center_enterprise_-_live_data_server *
redhat openshift_distributed_tracing -
redhat cost_management -
redhat network_observability_operator -
apache tomcat 11.0.0
redhat openshift_service_mesh 2.0
redhat migration_toolkit_for_virtualization -
apache traffic_server *
redhat jboss_fuse 6.0.0
redhat ansible_automation_platform 2.0
cisco business_process_automation *
f5 big-ip_websafe *
f5 big-ip_global_traffic_manager 17.1.0
redhat cert-manager_operator_for_red_hat_openshift -
cisco firepower_threat_defense *
linecorp armeria *
cisco nx-os *
envoyproxy envoy 1.25.9
cisco unified_contact_center_enterprise -
projectcontour contour *
cisco secure_web_appliance_firmware *
cisco fog_director *
redhat openstack_platform 17.1
cisco secure_dynamic_attributes_connector *
envoyproxy envoy 1.24.10
jenkins jenkins *
redhat openshift -
redhat openshift_data_science -
redhat openshift_api_for_data_protection -
microsoft windows_11_21h2 *
golang go *
f5 big-ip_advanced_web_application_firewall 17.1.0
f5 nginx_plus r30
cisco data_center_network_manager -
f5 big-ip_global_traffic_manager *
microsoft azure_kubernetes_service *
redhat openstack_platform 16.2
redhat certification_for_red_hat_enterprise_linux 8.0
envoyproxy envoy 1.27.0
linkerd linkerd 2.14.1
redhat enterprise_linux 9.0
f5 big-ip_application_acceleration_manager *
redhat openshift_virtualization 4
traefik traefik *
f5 big-ip_domain_name_system *
fedoraproject fedora 37
f5 big-ip_analytics 17.1.0
microsoft windows_server_2022 -
linkerd linkerd 2.13.0
f5 big-ip_application_acceleration_manager 17.1.0
golang http2 *
redhat cryostat 2.0
cisco crosswork_situation_manager -
f5 big-ip_access_policy_manager 17.1.0
redhat service_telemetry_framework 1.5
redhat build_of_optaplanner 8.0
redhat jboss_a-mq_streams -
redhat process_automation 7.0
linkerd linkerd *
nodejs node.js *
varnish_cache_project varnish_cache *
f5 big-ip_local_traffic_manager *
eclipse jetty *
f5 big-ip_access_policy_manager *
f5 big-ip_advanced_firewall_manager *
cisco prime_access_registrar *
cisco secure_malware_analytics *
istio istio *
f5 big-ip_carrier-grade_nat *
debian debian_linux 10.0
redhat migration_toolkit_for_applications 6.0
traefik traefik 3.0.0
f5 big-ip_ssl_orchestrator *
redhat openshift_serverless -
f5 big-ip_analytics *
f5 big-ip_policy_enforcement_manager 17.1.0
facebook proxygen *
microsoft windows_11_22h2 *
redhat openshift_gitops -
redhat openstack_platform 16.1
f5 big-ip_webaccelerator *
netapp oncommand_insight -
redhat jboss_enterprise_application_platform 6.0.0
cisco crosswork_data_gateway 5.0
redhat quay 3.0.0
f5 big-ip_next_service_proxy_for_kubernetes *
redhat certification_for_red_hat_enterprise_linux 9.0
cisco prime_infrastructure *
redhat jboss_a-mq 7
redhat integration_camel_for_spring_boot -
redhat openshift_sandboxed_containers -
microsoft visual_studio_2022 *
linkerd linkerd 2.13.1
f5 big-ip_carrier-grade_nat 17.1.0
cisco crosswork_data_gateway *
cisco enterprise_chat_and_email -
redhat openshift_container_platform 4.0
redhat advanced_cluster_security 3.0
debian debian_linux 12.0
f5 nginx *
cisco ultra_cloud_core_-_session_management_function *
redhat support_for_spring_boot -
cisco ultra_cloud_core_-_serving_gateway_function *
redhat advanced_cluster_management_for_kubernetes 2.0
f5 big-ip_ddos_hybrid_defender 17.1.0
redhat openshift_secondary_scheduler_operator -
amazon opensearch_data_prepper *
f5 big-ip_policy_enforcement_manager *
CVE-2023-4785

Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
cve-coordination@google.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
grpc grpc *
grpc grpc 1.56.0
CVE-2024-11407

There exists a denial of service through Data corruption in gRPC-C++ - gRPC-C++ servers with transmit zero copy enabled through the channel arg GRPC_ARG_TCP_TX_ZEROCOPY_ENABLED can experience data corruption issues. The data sent by the application may be corrupted before transmission over the network thus leading the receiver to receive an incorrect set of bytes causing RPC requests to fail. We recommend upgrading past commit e9046b2bbebc0cb7f5dc42008f807f6c7e98e791

Products Affected

Vendor Product Version
grpc grpc *
CVE-2024-7246

It's possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It's also possible to use this vulnerability to leak other clients HTTP header keys, but not values. This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table. Please update to a fixed version of gRPC as soon as possible. This bug has been fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4.

Products Affected

Vendor Product Version
grpc grpc *