Skip to main content
Version: latest

CVE-2023-44487

CVE Details

Visit the official vulnerability details page for CVE-2023-44487 to learn more.

Initial Publication

10/25/2024

Last Update

12/21/2024

Third Party Dependency

golang.org/x/net

NIST CVE Summary

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVE Severity

7.5

Our Official Summary

In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.

The containers where this vulnerability is reported are internal components which requires privileged access and do not expose HTTP endpoints. So the risk of explotation is very low and impact is low as well because containers make the attack surface minimal. We will wait for upstream fixes for the libraries.

Status

Ongoing

Affected Products & Versions

This CVE is non-impacting as the impacting symbol and/or function is not used in the product

Revision History

DateRevision
12/16/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15
12/11/2024Official summary revised: In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.The containers where this vulnerability is reported are internal components which requires privileged access and do not expose HTTP endpoints. So the risk of explotation is very low and impact is low as well because containers make the attack surface minimal. We will wait for upstream fixes for the libraries.
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10
11/13/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20
11/10/2024Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8
10/27/2024Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5