Skip to main content
Version: latest

GHSA-M425-MQ94-257G

CVE Details

GHSA-M425-MQ94-257G

Initial Publication

10/25/2024

Last Update

10/25/2024

Third Party Dependency

google.golang.org/grpc

NIST CVE Summary

gRPC-Go HTTP/2 Rapid Reset vulnerability

CVE Severity

7.5

Our Official Summary

In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.

The containers where this vulnerability is reported are internal components which requires privileged access and do not expose HTTP endpoints. So the risk of explotation is very low and impact is low as well because containers make the attack surface minimal. We will wait for upstream fixes for the libraries.

Status

Ongoing

Affected Products & Versions

VersionPalette EnterprisePalette Enterprise AirgapVerteXVerteX Airgap
4.5.11ImpactedImpactedImpactedImpacted
4.5.10ImpactedImpactedImpactedImpacted
4.5.8ImpactedImpactedImpactedImpacted
4.5.5ImpactedImpactedImpactedImpacted
4.5.4ImpactedImpactedImpactedImpacted
4.4.20ImpactedImpactedImpactedImpacted

Revision History

DateRevision
11/28/2024Official summary revised: In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.The containers where this vulnerability is reported are internal components which requires privileged access and do not expose HTTP endpoints. So the risk of explotation is very low and impact is low as well because containers make the attack surface minimal. We will wait for upstream fixes for the libraries.
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10
11/13/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20
11/10/2024Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8
10/27/2024Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5