GHSA-87m9-rv8p-rgmg

Suggest an improvement
Source
https://github.com/advisories/GHSA-87m9-rv8p-rgmg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-87m9-rv8p-rgmg/GHSA-87m9-rv8p-rgmg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-87m9-rv8p-rgmg
Aliases
Related
Published
2024-06-10T18:36:23Z
Modified
2024-07-15T22:12:29.061663Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
go-grpc-compression has a zstd decompression bombing vulnerability
Details

Impact

A malicious user could cause a denial of service (DoS) when using a specially crafted gRPC request. The decompression mechanism for zstd did not respect the limits imposed by gRPC, allowing rapid memory usage increases.

Versions v1.1.4 through to v1.2.2 made use of the Decoder.DecodeAll function in github.com/klauspost/compress/zstd to decompress data provided by the peer. The vulnerability is exploitable only by attackers who can send gRPC payloads to users of github.com/mostynb/go-grpc-compression/zstd or github.com/mostynb/go-grpc-compression/nonclobbering/zstd.

Patches

Version v1.2.3 of github.com/mostynb/go-grpc-compression avoids the issue by not using the Decoder.DecodeAll function in github.com/klauspost/compress/zstd.

All users of github.com/mostynb/go-grpc-compression/zstd or github.com/mostynb/go-grpc-compression/nonclobbering/zstd in the affected versions should update to v1.2.3.

Workarounds

Other compression formats were not affected, users may consider switching from zstd to another format without upgrading to a newer release.

References

This issue was uncovered during a security audit performed by Miroslav Stampar of 7ASecurity, facilitated by OSTIF, for the OpenTelemetry project.

https://opentelemetry.io/blog/2024/cve-2024-36129 https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-400"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-10T18:36:23Z"
}
References

Affected packages

Go / github.com/mostynb/go-grpc-compression

Package

Name
github.com/mostynb/go-grpc-compression
View open source insights on deps.dev
Purl
pkg:golang/github.com/mostynb/go-grpc-compression

Affected ranges

Type
SEMVER
Events
Introduced
1.1.4
Fixed
1.2.3