Skip to main content
Version: latest

GHSA-M425-MQ94-257G

CVE Details

Visit the official vulnerability details page for GHSA-M425-MQ94-257G to learn more.

Initial Publication

10/25/2024

Last Update

12/16/2024

Third Party Dependency

google.golang.org/grpc

NIST CVE Summary

gRPC-Go HTTP/2 Rapid Reset vulnerability

CVE Severity

7.5

Our Official Summary

In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.

The containers where this vulnerability is reported are internal components which requires privileged access and do not expose HTTP endpoints. So the risk of explotation is very low and impact is low as well because containers make the attack surface minimal. We will wait for upstream fixes for the libraries.

Status

Ongoing

Affected Products & Versions

VersionPalette EnterprisePalette Enterprise AirgapVerteXVerteX Airgap
4.5.15⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.11⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.10⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.8⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.5⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.4⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.4.20⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted

Revision History

DateRevision
12/16/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15
12/09/2024Official summary revised: In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.The containers where this vulnerability is reported are internal components which requires privileged access and do not expose HTTP endpoints. So the risk of explotation is very low and impact is low as well because containers make the attack surface minimal. We will wait for upstream fixes for the libraries.
12/03/2024Advisory is now impacting.
12/01/2024Advisory is no longer impacting.
12/01/2024Official summary revised: This vulnerability is a false positive. Although this is reported by the scanning tools on some of the components, further checks indicate the symbol/function with the vulnerability while present is not being used.
11/30/2024Advisory is now impacting.
11/29/2024Official summary revised: In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.The containers where this vulnerability is reported are internal components which requires privileged access and do not expose HTTP endpoints. So the risk of explotation is very low and impact is low as well because containers make the attack surface minimal. We will wait for upstream fixes for the libraries.
11/27/2024Advisory is no longer impacting.
11/27/2024Official summary revised: This CVE is non impacting as the impacting symbol and/or function is not used in the product.
11/26/2024Advisory is now impacting.
11/26/2024Advisory is no longer impacting.
11/26/2024Official summary revised: This CVE is non impacting as the impacting symbol and/or function is not used in the product.
11/25/2024Advisory is now impacting.
11/24/2024Advisory is no longer impacting.
11/24/2024Official summary revised: This CVE is non impacting as the impacting symbol and/or function is not used in the product.
11/21/2024Advisory is now impacting.
11/20/2024Advisory is no longer impacting.
11/20/2024Official summary revised: This CVE is non impacting as the impacting symbol and/or function is not used in the product.
11/18/2024Advisory is now impacting.
11/18/2024Advisory is no longer impacting.
11/18/2024Official summary revised: This CVE is non impacting as the impacting symbol and/or function is not used in the product.
11/17/2024Advisory is now impacting.
11/17/2024Advisory is no longer impacting.
11/17/2024Official summary revised: This CVE is non impacting as the impacting symbol and/or function is not used in the product.
11/16/2024Advisory is now impacting.
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11
11/15/2024Advisory is no longer impacting.
11/15/2024Official summary revised: This CVE is non impacting as the impacting symbol and/or function is not used in the product.
11/15/2024Advisory is now impacting.
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10
11/14/2024Advisory is no longer impacting.
11/14/2024Official summary revised: This CVE is non impacting as the impacting symbol and/or function is not used in the product.
11/13/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20
11/13/2024Advisory is now impacting.
11/11/2024Advisory is no longer impacting.
11/11/2024Official summary revised: This CVE is non impacting as the impacting symbol and/or function is not used in the product.
11/10/2024Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8
11/10/2024Advisory is now impacting.
11/06/2024Advisory is no longer impacting.
11/06/2024Official summary revised: This CVE is non impacting as the impacting symbol and/or function is not used in the product.
11/02/2024Advisory is now impacting.
10/31/2024Advisory is no longer impacting.
10/31/2024Official summary revised: This CVE is non impacting as the impacting symbol and/or function is not used in the product.
10/27/2024Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5
10/26/2024Advisory is now impacting.