CVE-2023-4785

Denial of Service in gRPC Core

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.

La falta de manejo de errores en el servidor TCP en gRPC de Google a partir de la versión 1.23 en plataformas compatibles con posix (por ejemplo, Linux) permite a un atacante provocar una denegación de servicio al iniciar una cantidad significativa de conexiones con el servidor. Tenga en cuenta que gRPC C++ Python y Ruby se ven afectados, pero gRPC Java y Go NO se ven afectados.

A flaw was found in gRPC. Lack of error handling in the TCP server in Google's gRPC, starting in version 1.23 on POSIX-compatible platforms (for example, Linux), allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++, Python, and Ruby are affected, but gRPC Java and Go are NOT affected.

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-09-06 CVE Reserved
2023-09-13 CVE Published
2024-09-25 CVE Updated
2024-10-15 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-248: Uncaught Exception

CAPEC

CAPEC-125: Flooding

References (7)

URL	Tag	Source
https://github.com/grpc/grpc/pull/33667	Issue Tracking
https://github.com/grpc/grpc/pull/33669	Issue Tracking
https://github.com/grpc/grpc/pull/33670	Issue Tracking
https://github.com/grpc/grpc/pull/33672	Issue Tracking

URL	Date	SRC

URL	Date	SRC
https://github.com/grpc/grpc/pull/33656	2023-09-19

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-4785	2024-02-13
https://bugzilla.redhat.com/show_bug.cgi?id=2239017	2024-02-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Grpc Search vendor "Grpc"		Grpc Search vendor "Grpc" for product "Grpc"				>= 1.23.0 < 1.53.2 Search vendor "Grpc" for product "Grpc" and version " >= 1.23.0 < 1.53.2"		-		Affected
Grpc Search vendor "Grpc"		Grpc Search vendor "Grpc" for product "Grpc"				>= 1.54.0 < 1.54.3 Search vendor "Grpc" for product "Grpc" and version " >= 1.54.0 < 1.54.3"		-		Affected
Grpc Search vendor "Grpc"		Grpc Search vendor "Grpc" for product "Grpc"				>= 1.55.0 < 1.55.3 Search vendor "Grpc" for product "Grpc" and version " >= 1.55.0 < 1.55.3"		-		Affected
Grpc Search vendor "Grpc"		Grpc Search vendor "Grpc" for product "Grpc"				1.56.0 Search vendor "Grpc" for product "Grpc" and version "1.56.0"		-		Affected