CVE-2023-44487
CVE Details
Visit the official vulnerability details page for CVE-2023-44487 to learn more.
Initial Publication
10/25/2024
Last Update
12/21/2024
Third Party Dependency
golang.org/x/net
NIST CVE Summary
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE Severity
Our Official Summary
In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.
The containers where this vulnerability is reported are internal components which requires privileged access and do not expose HTTP endpoints. So the risk of explotation is very low and impact is low as well because containers make the attack surface minimal. We will wait for upstream fixes for the libraries.
Status
Ongoing
Affected Products & Versions
This CVE is non-impacting as the impacting symbol and/or function is not used in the product
Revision History
Date | Revision |
---|---|
12/16/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15 |
11/28/2024 | Official summary revised: In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.The containers where this vulnerability is reported are internal components which requires privileged access and do not expose HTTP endpoints. So the risk of explotation is very low and impact is low as well because containers make the attack surface minimal. We will wait for upstream fixes for the libraries. |
11/18/2024 | Status changed from Open to Ongoing |
11/18/2024 | Official summary revised: This vulnerability is a false positive. Although this is reported by the scanning tools on some of the containers, further checks indicate the library with the vulnerability while present is not being used. We will upgrade as and when upstream fixes are available. |
11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 |
11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 |
11/13/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20 |
11/10/2024 | Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8 |
10/27/2024 | Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5 |