7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
34.8%
grpc is vulnerable to Denial Of Service (DoS). The vulnerability exists due to improper header validation which allows an attacker to send headers such as te: x (x != trailers)
, scheme: x (x != http, https)
, and grpclb_client_stats: x (x == anything)
, leading to the total header size being over 8kb, resulting in an application crash.
CPE | Name | Operator | Version |
---|---|---|---|
grpcio | le | 1.52.0 | |
grpc | le | 1.52.2 | |
grpc.net.client | le | 2.51.0 | |
grpc.net.client.web | le | 2.51.0 | |
io.grpc:grpc-xds | le | 1.52.1 | |
grpc | le | 1.52.0 | |
libgrpc.so | le | 30.0.0 | |
grpcio | le | 1.52.0 | |
grpc | le | 1.52.2 | |
grpc.net.client | le | 2.51.0 |
github.com/advisories/GHSA-6628-q6j9-w8vg
github.com/grpc/grpc-dotnet/commit/96ea3836b4f0534e844513c49c63a00c395a20fd
github.com/grpc/grpc-java/commit/d07ecbe037d2705a1c9f4b6345581f860e505b56
github.com/grpc/grpc/commit/2485fa94bd8a723e5c977d55a3ce10b301b437f8
github.com/grpc/grpc/commit/7a1412fa12e3ad4735890815b4dd4936c595a345