GHSA-m425-mq94-257g

SOURCE - github

Summary

### Impact In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit. ### Patches This vulnerability was addressed by #6703 and has been included in patch releases: 1.56.3, 1.57.1, 1.58.3. It is also included in the latest release, 1.59.0. Along with applying the patch, users should also ensure they are using the grpc.MaxConcurrentStreams server option to apply a limit to the server's resources used for any single connection. ### Workarounds None. ### References #6703

Common Weakness Enumeration (CWE)

Sources (4)

My images

github

CREATED

7 months ago

UPDATED

7 months ago

SOURCE IDGHSA-m425-mq94-257g⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

7.5high

golang

CREATED

6 months ago

UPDATED

5 months ago

SOURCE IDGO-2023-2153⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM SOURCE

chainguard

CREATED

6 months ago

UPDATED

26 days ago

SOURCE ID

GHSA-m425-mq94-257g

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM SOURCE

wolfi

CREATED

6 months ago

UPDATED

28 days ago

SOURCE ID

GHSA-m425-mq94-257g

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM SOURCE