CVSS: 7.8EPSS: 94%CPEs: 444EXPL: 17CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
10 Oct 2023 — The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. ... • https://github.com/imabee101/CVE-2023-44487 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-4785 – Denial of Service in gRPC Core
https://notcve.org/view.php?id=CVE-2023-4785
13 Sep 2023 — Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. La falta de manejo de errores en el servidor TCP en gRPC de Google a partir de la versión 1.23 en plataformas compatibles con posix (por ejemplo, Linux) permite a un atacante provocar u... • https://github.com/grpc/grpc/pull/33656 • CWE-248: Uncaught Exception •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-33953 – Denial-of-Service in gRPC
https://notcve.org/view.php?id=CVE-2023-33953
09 Aug 2023 — gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, ... • https://cloud.google.com/support/bulletins#gcp-2023-022 • CWE-770: Allocation of Resources Without Limits or Throttling CWE-789: Memory Allocation with Excessive Size Value CWE-834: Excessive Iteration •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32731 – Information leak in gRPC
https://notcve.org/view.php?id=CVE-2023-32731
09 Jun 2023 — When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recomme... • https://github.com/grpc/grpc/pull/32309 • CWE-440: Expected Behavior Violation •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-32732 – Denial-of-Service in gRPC
https://notcve.org/view.php?id=CVE-2023-32732
09 Jun 2023 — gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in https://github.com/grpc/grpc/pull/32309 https://www.google.com/url gRPC contiene una vulnerabilidad por la que un cliente puede provocar la finalización de la conexión entre un proxy HTTP2 y un se... • https://github.com/grpc/grpc/pull/32309 • CWE-440: Expected Behavior Violation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-1428 – Denial-of-Service in gRPC
https://notcve.org/view.php?id=CVE-2023-1428
09 Jun 2023 — There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. We recommend upgrading past git commit 2485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above. • https://github.com/grpc/grpc/commit/2485fa94bd8a723e5c977d55a3ce10b301b437f8 • CWE-617: Reachable Assertion •
CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 0CVE-2020-7768 – Prototype Pollution
https://notcve.org/view.php?id=CVE-2020-7768
11 Nov 2020 — The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition. El paquete grpc versiones anteriores a 1.24.4; el paquete @grpc/grpc-js versiones anteriores a 1.1.8, son vulnerables a una contaminación de prototipo por medio de loadPackageDefinition • https://github.com/grpc/grpc-node/pull/1605 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9431
https://notcve.org/view.php?id=CVE-2017-9431
05 Jun 2017 — Google gRPC before 2017-04-05 has an out-of-bounds write caused by a heap-based buffer overflow related to core/lib/iomgr/error.c. Google gRPC antes del 05-04-2017, presenta una escritura fuera de límites causada por un desbordamiento de búfer en la región heap de la memoria relacionado con el archivo core/lib/iomgr/error.c. • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1018 • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2017-8359
https://notcve.org/view.php?id=CVE-2017-8359
30 Apr 2017 — Google gRPC before 2017-03-29 has an out-of-bounds write caused by a heap-based use-after-free related to the grpc_call_destroy function in core/lib/surface/call.c. Google gRPC anterior a 2017-03-29 tiene una escritura fuera de límites causada por un uso después de liberación en el heap y relacionado con la función grpc_call_destroy en core/lib/surface/call.c. • http://www.securityfocus.com/bid/98280 • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-7860
https://notcve.org/view.php?id=CVE-2017-7860
14 Apr 2017 — Google gRPC before 2017-02-22 has an out-of-bounds write caused by a heap-based buffer overflow related to the parse_unix function in core/ext/client_channel/parse_address.c. Google gRPC en versiones anteriores a 22-02-2017 tiene una escritura fuera de límites provocado por un desbordamiento de búfer basado en memoria dinámica en relación con la función parse_unix function en core/ext/client_chennel/parse_address.c. • http://www.securityfocus.com/bid/97695 • CWE-787: Out-of-bounds Write •