Information leak in gRPC
CVE-2023-32731

7.4HIGH

Key Information:

Vendor: Google
Status: Grpc
Vendor: CVE Published:; 9 June 2023

Summary

A desynchronization vulnerability in gRPC's HTTP2 stack arises when a header size exceeds the allowable limits, causing the system to skip parsing the remainder of the HPACK frame. This results in mutations to the HPACK table going unprocessed, which can affect communication between a proxy and backend systems. As a consequence, requests made by the proxy might be mistakenly interpreted as originating from different clients, leading to potential information leaks. Exploitation of this vulnerability can facilitate privilege escalation or permit unauthorized data exfiltration, making it imperative for users to upgrade their systems to versions beyond the corrective commit.

Affected Version(s)

gRPC 1.53 <= 1.54

References

https://github.com/grpc/grpc/pull/32309

https://github.com/grpc/grpc/pull/33005

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 9, 2023
Vulnerability Reserved
May 12, 2023