GHSA-m425-mq94-257g
Suggest an improvement- Source
- https://github.com/advisories/GHSA-m425-mq94-257g
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-m425-mq94-257g/GHSA-m425-mq94-257g.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-m425-mq94-257g
- Aliases
-
- BIT-apisix-2023-44487
- BIT-aspnet-core-2023-44487
- BIT-contour-2023-44487
- BIT-dotnet-2023-44487
- BIT-dotnet-sdk-2023-44487
- BIT-envoy-2023-44487
- BIT-golang-2023-44487
- BIT-jenkins-2023-44487
- BIT-kong-2023-44487
- BIT-nginx-2023-44487
- BIT-nginx-ingress-controller-2023-44487
- BIT-node-2023-44487
- BIT-node-min-2023-44487
- BIT-solr-2023-44487
- BIT-tomcat-2023-44487
- BIT-varnish-2023-44487
- CGA-4mmr-qwxr-f88g
- CGA-5jp5-95p2-jw83
- CGA-5v4r-558c-254r
- CGA-9w4r-68hh-64j5
- CGA-m49h-wjp5-j434
- CGA-mp43-q6p3-96v2
- CVE-2023-44487
- GHSA-qppj-fm5r-hxr3
- GO-2023-2153
- Related
- Published
- 2023-10-25T21:17:37Z
- Modified
- 2024-12-16T15:26:49.544423Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- gRPC-Go HTTP/2 Rapid Reset vulnerability
- Details
-
Impact
In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.
Patches
This vulnerability was addressed by #6703 and has been included in patch releases: 1.56.3, 1.57.1, 1.58.3. It is also included in the latest release, 1.59.0.
Along with applying the patch, users should also ensure they are using the
grpc.MaxConcurrentStreamsserver option to apply a limit to the server's resources used for any single connection.Workarounds
None.
References
6703
- Database specific
{ "nvd_published_at": null, "cwe_ids": [], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-10-25T21:17:37Z" }- References
Affected packages
Go / google.golang.org/grpc
Package
- Name
- google.golang.org/grpc
- View open source insights on deps.dev
- Purl
- pkg:golang/google.golang.org/grpc
Go / google.golang.org/grpc
Package
- Name
- google.golang.org/grpc
- View open source insights on deps.dev
- Purl
- pkg:golang/google.golang.org/grpc
Go / google.golang.org/grpc
Package
- Name
- google.golang.org/grpc
- View open source insights on deps.dev
- Purl
- pkg:golang/google.golang.org/grpc