GHSA-m425-mq94-257g
Suggest an improvement- Source
- https://github.com/advisories/GHSA-m425-mq94-257g
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-m425-mq94-257g/GHSA-m425-mq94-257g.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-m425-mq94-257g
- Aliases
- Related
- Published
- 2023-10-25T21:17:37Z
- Modified
- 2024-07-19T16:32:30Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- gRPC-Go HTTP/2 Rapid Reset vulnerability
- Details
-
Impact
In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.
Patches
This vulnerability was addressed by #6703 and has been included in patch releases: 1.56.3, 1.57.1, 1.58.3. It is also included in the latest release, 1.59.0.
Along with applying the patch, users should also ensure they are using the
grpc.MaxConcurrentStreamsserver option to apply a limit to the server's resources used for any single connection.Workarounds
None.
References
6703
- References
Affected packages
Go / google.golang.org/grpc
Package
- Name
- google.golang.org/grpc
- View open source insights on deps.dev
- Purl
- pkg:golang/google.golang.org/grpc
Go / google.golang.org/grpc
Package
- Name
- google.golang.org/grpc
- View open source insights on deps.dev
- Purl
- pkg:golang/google.golang.org/grpc
Go / google.golang.org/grpc
Package
- Name
- google.golang.org/grpc
- View open source insights on deps.dev
- Purl
- pkg:golang/google.golang.org/grpc