gRPC vulnerability allows client-side scripting and HTTP header leakage
CVE-2024-7246

5.3MEDIUM

Key Information:

Vendor: Google
Status: Grpc
Vendor: CVE Published:; 6 August 2024

What is CVE-2024-7246?

It's possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It's also possible to use this vulnerability to leak other clients HTTP header keys, but not values.

This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table.

Please update to a fixed version of gRPC as soon as possible. This bug has been fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4.

Affected Version(s)

gRPC 1.53.0

gRPC 1.53.1

gRPC 1.53.2

References

https://github.com/grpc/grpc/issues/36245

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 6, 2024
Vulnerability Reserved
Jul 29, 2024

Google

What is CVE-2024-7246?

Affected Version(s)

References

CVSS V3.1

Timeline