Denial of Service in gRPC Core
CVE-2023-4785

7.5HIGH

Key Information:

Vendor: Google
Status: gRPC
Vendor: CVE Published:; 13 September 2023

Summary

Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.

Affected Version(s)

gRPC Posix-compatible platforms 1.56.0 <= 1.56.1

gRPC Posix-compatible platforms 1.55.0 <= 1.55.2

gRPC Posix-compatible platforms 1.54.0 <= 154.2

References

https://github.com/grpc/grpc/pull/33656

https://github.com/grpc/grpc/pull/33667

https://github.com/grpc/grpc/pull/33669

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 13, 2023
Vulnerability Reserved
Sep 6, 2023

Collectors

NVD DatabaseMitre Database