Veracode Vulnerability DatabaseVERACODE:41252Denial Of Service (DoS)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
34.8%
grpc is vulnerable to Denial Of Service (DoS). The vulnerability exists due to improper header validation which allows an attacker to send headers such as te: x (x != trailers), scheme: x (x != http, https), and grpclb_client_stats: x (x == anything), leading to the total header size being over 8kb, resulting in an application crash.
| CPE | Name | Operator | Version |
|---|---|---|---|
| grpcio | le | 1.52.0 | |
| grpc | le | 1.52.2 | |
| grpc.net.client | le | 2.51.0 | |
| grpc.net.client.web | le | 2.51.0 | |
| io.grpc:grpc-xds | le | 1.52.1 | |
| grpc | le | 1.52.0 | |
| libgrpc.so | le | 30.0.0 | |
| grpcio | le | 1.52.0 | |
| grpc | le | 1.52.2 | |
| grpc.net.client | le | 2.51.0 |
References
github.com/advisories/GHSA-6628-q6j9-w8vg
github.com/grpc/grpc-dotnet/commit/96ea3836b4f0534e844513c49c63a00c395a20fd
github.com/grpc/grpc-java/commit/d07ecbe037d2705a1c9f4b6345581f860e505b56
github.com/grpc/grpc/commit/2485fa94bd8a723e5c977d55a3ce10b301b437f8
github.com/grpc/grpc/commit/7a1412fa12e3ad4735890815b4dd4936c595a345
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
34.8%