CVE-2023-33953

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-33953
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-33953.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-33953
Aliases
Downstream
Related
Published
2023-08-09T13:15:09.370Z
Modified
2026-03-14T12:07:33.531958Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks:

  • Unbounded memory buffering in the HPACK parser
  • Unbounded CPU consumption in the HPACK parser

The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.

The unbounded memory buffering bugs:

  • The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb.
  • HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse.
  • gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc…
References

Affected packages

Git / github.com/grpc/grpc

Affected ranges

Type
GIT
Repo
https://github.com/grpc/grpc
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
afb307fb89ed83f358d82b5d359034a039a95e66
Introduced
6847e05dbb8088a918f06e2231a405942b5c002d
Fixed
868412b573a0663c8db41558498caf44098f4390
Introduced
6e85620c7e258df79666a4743f862f2f82701c2d
Fixed
c0d1c393d9365664d47df41746e992ae97b651ef
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.53.2"
        },
        {
            "introduced": "1.54.0"
        },
        {
            "fixed": "1.54.3"
        },
        {
            "introduced": "1.56.0"
        },
        {
            "fixed": "1.56.2"
        }
    ]
}

Affected versions

v1.*
v1.54.0
v1.54.1
v1.54.2
v1.56.0
v1.56.1
v1.56.1-pre1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-33953.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "1.55.0"
            },
            {
                "fixed": "1.55.2"
            }
        ]
    }
]