GHSA-6628-q6j9-w8vg

Suggest an improvement
Source
https://github.com/advisories/GHSA-6628-q6j9-w8vg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-6628-q6j9-w8vg/GHSA-6628-q6j9-w8vg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6628-q6j9-w8vg
Aliases
Related
Published
2023-07-06T21:15:08Z
Modified
2024-02-16T08:23:11.573485Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
gRPC Reachable Assertion issue
Details

There exists an vulnerability causing an abort() to be called in gRPC.  The following headers cause gRPC's C++ implementation to abort() when called via http2:

te: x (x != trailers)

:scheme: x (x != http, https)

grpclbclientstats: x (x == anything)

On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. We recommend upgrading past git commit 2485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above.

Database specific
{
    "nvd_published_at": "2023-06-09T11:15:09Z",
    "cwe_ids": [
        "CWE-617"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-06T23:56:28Z"
}
References

Affected packages

Maven / io.grpc:grpc-protobuf

Package

Name
io.grpc:grpc-protobuf
View open source insights on deps.dev
Purl
pkg:maven/io.grpc/grpc-protobuf

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.53.0

Affected versions

0.*

0.7.0
0.7.1
0.7.2
0.8.0
0.9.0
0.9.1
0.12.0
0.13.0
0.13.1
0.13.2
0.14.0
0.14.1
0.15.0

1.*

1.0.0
1.0.0-pre1
1.0.0-pre2
1.0.1
1.0.2
1.0.3
1.1.1
1.1.2
1.2.0
1.3.0
1.3.1
1.4.0
1.5.0
1.6.0
1.6.1
1.7.0
1.7.1
1.8.0
1.9.0
1.9.1
1.10.0
1.10.1
1.11.0
1.12.0
1.12.1
1.13.1
1.13.2
1.14.0
1.15.0
1.15.1
1.16.0
1.16.1
1.17.0
1.17.1
1.18.0
1.19.0
1.20.0
1.21.0
1.21.1
1.22.0
1.22.1
1.22.2
1.22.3
1.23.0
1.23.1
1.24.0
1.24.1
1.24.2
1.25.0
1.26.0
1.26.1
1.27.0
1.27.1
1.27.2
1.28.0
1.28.1
1.29.0
1.30.0
1.30.1
1.30.2
1.31.0
1.31.1
1.31.2
1.32.1
1.32.2
1.32.3
1.33.0
1.33.1
1.34.0
1.34.1
1.35.0
1.35.1
1.36.0
1.36.1
1.36.2
1.36.3
1.37.0
1.37.1
1.38.0
1.38.1
1.39.0
1.40.0
1.40.1
1.40.2
1.41.0
1.41.1
1.41.2
1.41.3
1.42.0
1.42.1
1.42.2
1.42.3
1.43.0
1.43.1
1.43.2
1.43.3
1.44.0
1.44.1
1.44.2
1.45.0
1.45.1
1.45.2
1.45.3
1.45.4
1.46.0
1.46.1
1.47.0
1.47.1
1.48.0
1.48.1
1.48.2
1.49.0
1.49.1
1.49.2
1.50.0
1.50.1
1.50.2
1.50.3
1.51.0
1.51.1
1.51.3
1.52.0
1.52.1

PyPI / grpcio

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.53.0

Affected versions

0.*

0.3.0
0.4.0a0
0.4.0a1
0.4.0a2
0.4.0a3
0.4.0a4
0.4.0a5
0.4.0a6
0.4.0a7
0.4.0a8
0.4.0a13
0.4.0a14
0.4.0
0.5.0a0
0.5.0a1
0.5.0a2
0.9.0a0
0.9.0a1
0.10.0a0
0.11.0b0
0.11.0b1
0.12.0b0
0.12.0b8
0.13.0
0.13.1rc1
0.13.1
0.14.0rc1
0.14.0
0.15.0

1.*

1.0.0rc1
1.0.0rc2
1.0.0
1.0.1rc1
1.0.1
1.0.2
1.0.3
1.0.4
1.1.0
1.1.3
1.2.0
1.2.1
1.3.0
1.3.3
1.3.5
1.4.0
1.6.0
1.6.3
1.7.0
1.7.3
1.8.1
1.8.2
1.8.3
1.8.4
1.8.6
1.9.0rc1
1.9.0rc2
1.9.0rc3
1.9.0
1.9.1
1.10.0rc2
1.10.0
1.10.1rc1
1.10.1rc2
1.10.1
1.11.0rc1
1.11.0rc2
1.11.0
1.11.1rc1
1.11.1
1.12.0rc1
1.12.0
1.12.1
1.13.0rc1
1.13.0rc2
1.13.0rc3
1.13.0
1.14.0rc1
1.14.0rc2
1.14.0
1.14.1
1.14.2rc1
1.14.2
1.15.0rc1
1.15.0
1.16.0rc1
1.16.0
1.16.1
1.17.0
1.17.1
1.18.0
1.19.0
1.20.0rc1
1.20.0rc2
1.20.0rc3
1.20.0
1.20.1
1.21.0rc1
1.21.1rc1
1.21.1
1.22.0rc1
1.22.0
1.22.1
1.23.0rc1
1.23.0
1.23.1
1.24.0rc1
1.24.0
1.24.1
1.24.3
1.25.0rc1
1.25.0
1.26.0rc1
1.26.0
1.27.0rc1
1.27.0rc2
1.27.1
1.27.2
1.28.0rc1
1.28.0rc2
1.28.1
1.29.0
1.30.0
1.31.0
1.32.0
1.33.1
1.33.2
1.34.0rc1
1.34.0
1.34.1
1.35.0rc1
1.35.0
1.36.0rc1
1.36.0
1.36.1
1.37.0rc1
1.37.0
1.37.1
1.38.0rc1
1.38.0
1.38.1
1.39.0rc1
1.39.0
1.40.0rc1
1.40.0
1.41.0rc2
1.41.0
1.41.1
1.42.0rc1
1.42.0
1.43.0rc1
1.43.0
1.44.0rc1
1.44.0rc2
1.44.0
1.45.0rc1
1.45.0
1.46.0rc1
1.46.0rc2
1.46.0
1.46.1
1.46.3
1.46.5
1.47.0rc1
1.47.0
1.47.2
1.47.5
1.48.0rc1
1.48.0
1.48.1
1.48.2
1.49.0rc1
1.49.0rc3
1.49.0
1.49.1
1.50.0rc1
1.50.0
1.51.0rc1
1.51.0
1.51.1
1.51.3
1.52.0rc1
1.52.0
1.53.0rc2

RubyGems / grpc

Package

Name
grpc
Purl
pkg:gem/grpc

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.53.0

Affected versions

0.*

0.5.0
0.6.0
0.6.1
0.9.2
0.9.3
0.9.4
0.10.0
0.11.0
0.12.0
0.13.0.pre1.1
0.13.0
0.13.1.pre1
0.13.1
0.14.1.pre1
0.14.1
0.15.0

1.*

1.0.0.pre1
1.0.0.pre2
1.0.0
1.0.1.pre1
1.0.1
1.1.2
1.2.0.pre1
1.2.0
1.2.1.pre1
1.2.1.pre2
1.2.2
1.2.5
1.3.4
1.4.0
1.4.1
1.4.5
1.6.0.pre1
1.6.0
1.6.2
1.6.4
1.6.6
1.6.7
1.7.0.pre1
1.7.0
1.7.1
1.7.2
1.7.3
1.8.0
1.8.3
1.8.6
1.8.7
1.9.0.pre1
1.9.0.pre2
1.9.0.pre3
1.9.1
1.10.0.pre1
1.10.0.pre2
1.10.0
1.11.0.pre2
1.11.0
1.11.1
1.12.0
1.13.0.pre1
1.13.0.pre3
1.13.0
1.14.0
1.14.1
1.14.2.pre1
1.14.2
1.15.0.pre1
1.15.0
1.16.0.pre1
1.16.0
1.17.0.pre1
1.17.0
1.17.1
1.18.0.pre1
1.18.0
1.19.0.pre1
1.19.0
1.20.0.pre1
1.20.0
1.21.0
1.22.0.pre1
1.22.0
1.22.1
1.23.0.pre1
1.23.0
1.23.1
1.24.0.pre1
1.24.0
1.25.0.pre1
1.25.0
1.26.0.pre1
1.26.0
1.27.0.pre1
1.27.0
1.28.0.pre1
1.28.0.pre2
1.28.0
1.30.0.pre1
1.30.0
1.30.1
1.30.2
1.31.0.pre1
1.31.0.pre2
1.31.1
1.32.0.pre1
1.32.0
1.33.0.pre1
1.34.0
1.35.0.pre1
1.35.0
1.36.0
1.37.0.pre1
1.37.0
1.37.1
1.38.0.pre1
1.38.0
1.39.0.pre1
1.39.0
1.40.0.pre1
1.40.0
1.41.0.pre2
1.41.0
1.41.1
1.42.0.pre1
1.42.0
1.43.1
1.44.0.pre2
1.45.0
1.46.2
1.46.3
1.47.0
1.48.0.pre1
1.48.0
1.49.0.pre1
1.49.1
1.50.0.pre1
1.50.0
1.51.0
1.52.0.pre2
1.52.0
1.52.2
1.53.0.pre2