Veracode Vulnerability DatabaseVERACODE:41140Connection Confusion
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
56.4%
grpc is vulnerable to Connection Confusion. The vulnerability exists when the gRPC HTTP2 stack raised a header size exceeded error, and it skipped parsing the rest of the HPACK frame, which caused any HPACK table mutations also to be skipped, resulting in the desynchronization of HPACK tables between sender and receiver, leading to requests from the proxy being interpreted as containing headers from different proxy clients, allowing an attacker to gain sensitive information and gain access to the system or data exfiltration.
| CPE | Name | Operator | Version |
|---|---|---|---|
| grpcio | le | 1.52.0 | |
| grpc | le | 1.52.2 | |
| grpc.net.client | le | 2.51.0 | |
| io.grpc:grpc-xds | le | 1.52.1 | |
| grpc | le | 1.52.0 | |
| libgrpc.so | le | 30.0.0 | |
| grpcio | le | 1.52.0 | |
| grpc | le | 1.52.2 | |
| grpc.net.client | le | 2.51.0 | |
| io.grpc:grpc-xds | le | 1.52.1 |
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
56.4%