Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code.
https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8

Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.

gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security.

Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.
https://github.com/advisories/GHSA-cfgp-2977-2fmm

Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.
https://github.com/advisories/GHSA-9hxf-ppjv-w6rq

Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
https://github.com/grpc/grpc/pull/33656

There exists an vulnerability causing an abort() to be called in gRPC.  The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB.

gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.

Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. 
https://github.com/advisories/GHSA-6628-q6j9-w8vg

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.

gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security.

Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.
https://github.com/advisories/GHSA-cfgp-2977-2fmm

Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.
https://github.com/advisories/GHSA-9hxf-ppjv-w6rq

Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
https://github.com/grpc/grpc/pull/33656

There exists an vulnerability causing an abort() to be called in gRPC.  The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB.

gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.

Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. 
https://github.com/advisories/GHSA-6628-q6j9-w8vg

Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code.
https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8

Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.

gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security.

Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.
https://github.com/advisories/GHSA-cfgp-2977-2fmm

Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.
https://github.com/advisories/GHSA-9hxf-ppjv-w6rq

Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
https://github.com/grpc/grpc/pull/33656

There exists an vulnerability causing an abort() to be called in gRPC.  The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB.

gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.

Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. 
https://github.com/advisories/GHSA-6628-q6j9-w8vg

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.

gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security.

Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.
https://github.com/advisories/GHSA-cfgp-2977-2fmm

Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.
https://github.com/advisories/GHSA-9hxf-ppjv-w6rq

Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
https://github.com/grpc/grpc/pull/33656

There exists an vulnerability causing an abort() to be called in gRPC.  The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB.

gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.

Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. 
https://github.com/advisories/GHSA-6628-q6j9-w8vg

Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code.
https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8

Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.

gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security.

Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.
https://github.com/advisories/GHSA-cfgp-2977-2fmm

Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.
https://github.com/advisories/GHSA-9hxf-ppjv-w6rq

Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
https://github.com/grpc/grpc/pull/33656

There exists an vulnerability causing an abort() to be called in gRPC.  The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB.

gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.

Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. 
https://github.com/advisories/GHSA-6628-q6j9-w8vg

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.

gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security.

Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.
https://github.com/advisories/GHSA-cfgp-2977-2fmm

Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.
https://github.com/advisories/GHSA-9hxf-ppjv-w6rq

Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
https://github.com/grpc/grpc/pull/33656

There exists an vulnerability causing an abort() to be called in gRPC.  The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB.

gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.

Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. 
https://github.com/advisories/GHSA-6628-q6j9-w8vg

Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code.
https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8

Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.

gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security.

Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.
https://github.com/advisories/GHSA-cfgp-2977-2fmm

Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.
https://github.com/advisories/GHSA-9hxf-ppjv-w6rq

Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
https://github.com/grpc/grpc/pull/33656

There exists an vulnerability causing an abort() to be called in gRPC.  The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB.

gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.

Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. 
https://github.com/advisories/GHSA-6628-q6j9-w8vg

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.

gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security.

Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.
https://github.com/advisories/GHSA-cfgp-2977-2fmm

Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.
https://github.com/advisories/GHSA-9hxf-ppjv-w6rq

Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
https://github.com/grpc/grpc/pull/33656

There exists an vulnerability causing an abort() to be called in gRPC.  The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB.

gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.

Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. 
https://github.com/advisories/GHSA-6628-q6j9-w8vg

Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code.
https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8

Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code.
https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8

Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code.
https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8

Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code.
https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.

gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security.

Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.
https://github.com/advisories/GHSA-cfgp-2977-2fmm

Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.
https://github.com/advisories/GHSA-9hxf-ppjv-w6rq

Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
https://github.com/grpc/grpc/pull/33656

There exists an vulnerability causing an abort() to be called in gRPC.  The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB.

gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.

Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. 
https://github.com/advisories/GHSA-6628-q6j9-w8vg

Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code.
https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.

gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security.

Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.
https://github.com/advisories/GHSA-cfgp-2977-2fmm

Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.
https://github.com/advisories/GHSA-9hxf-ppjv-w6rq

Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
https://github.com/grpc/grpc/pull/33656

There exists an vulnerability causing an abort() to be called in gRPC.  The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB.

gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.

Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. 
https://github.com/advisories/GHSA-6628-q6j9-w8vg

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.

gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security.

Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.
https://github.com/advisories/GHSA-cfgp-2977-2fmm

Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.
https://github.com/advisories/GHSA-9hxf-ppjv-w6rq

Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
https://github.com/grpc/grpc/pull/33656

There exists an vulnerability causing an abort() to be called in gRPC.  The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB.

gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.

Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. 
https://github.com/advisories/GHSA-6628-q6j9-w8vg

Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code.
https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8

Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.

gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security.

Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.
https://github.com/advisories/GHSA-cfgp-2977-2fmm

Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.
https://github.com/advisories/GHSA-9hxf-ppjv-w6rq

Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
https://github.com/grpc/grpc/pull/33656

There exists an vulnerability causing an abort() to be called in gRPC.  The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB.

gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.

Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. 
https://github.com/advisories/GHSA-6628-q6j9-w8vg

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.

gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security.

Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.
https://github.com/advisories/GHSA-cfgp-2977-2fmm

Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.
https://github.com/advisories/GHSA-9hxf-ppjv-w6rq

Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
https://github.com/grpc/grpc/pull/33656

There exists an vulnerability causing an abort() to be called in gRPC.  The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB.

gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.

Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. 
https://github.com/advisories/GHSA-6628-q6j9-w8vg

Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code.
https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8

Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.

gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security.

Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.
https://github.com/advisories/GHSA-cfgp-2977-2fmm

Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.
https://github.com/advisories/GHSA-9hxf-ppjv-w6rq

Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
https://github.com/grpc/grpc/pull/33656

There exists an vulnerability causing an abort() to be called in gRPC.  The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB.

gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.

Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. 
https://github.com/advisories/GHSA-6628-q6j9-w8vg

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.

gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security.

Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.
https://github.com/advisories/GHSA-cfgp-2977-2fmm

Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.
https://github.com/advisories/GHSA-9hxf-ppjv-w6rq

Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
https://github.com/grpc/grpc/pull/33656

There exists an vulnerability causing an abort() to be called in gRPC.  The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB.

gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.

Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. 
https://github.com/advisories/GHSA-6628-q6j9-w8vg

Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code.
https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8

Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.

gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security.

Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.
https://github.com/advisories/GHSA-cfgp-2977-2fmm

Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.
https://github.com/advisories/GHSA-9hxf-ppjv-w6rq

Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
https://github.com/grpc/grpc/pull/33656

There exists an vulnerability causing an abort() to be called in gRPC.  The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB.

gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.

Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. 
https://github.com/advisories/GHSA-6628-q6j9-w8vg

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.

gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security.

Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.
https://github.com/advisories/GHSA-cfgp-2977-2fmm

Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.
https://github.com/advisories/GHSA-9hxf-ppjv-w6rq

Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
https://github.com/grpc/grpc/pull/33656

There exists an vulnerability causing an abort() to be called in gRPC.  The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB.

gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.

Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. 
https://github.com/advisories/GHSA-6628-q6j9-w8vg

Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code.
https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8

Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.

gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security.

Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.
https://github.com/advisories/GHSA-cfgp-2977-2fmm

Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.
https://github.com/advisories/GHSA-9hxf-ppjv-w6rq

Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
https://github.com/grpc/grpc/pull/33656

There exists an vulnerability causing an abort() to be called in gRPC.  The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB.

gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.

Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. 
https://github.com/advisories/GHSA-6628-q6j9-w8vg

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.

gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security.

Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.
https://github.com/advisories/GHSA-cfgp-2977-2fmm

Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.
https://github.com/advisories/GHSA-9hxf-ppjv-w6rq

Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
https://github.com/grpc/grpc/pull/33656

There exists an vulnerability causing an abort() to be called in gRPC.  The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB.

gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.

Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. 
https://github.com/advisories/GHSA-6628-q6j9-w8vg

Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code.
https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8

Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.

gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security.

Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.
https://github.com/advisories/GHSA-cfgp-2977-2fmm

Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.
https://github.com/advisories/GHSA-9hxf-ppjv-w6rq

Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
https://github.com/grpc/grpc/pull/33656

There exists an vulnerability causing an abort() to be called in gRPC.  The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB.

gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.

Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. 
https://github.com/advisories/GHSA-6628-q6j9-w8vg

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.

gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security.

Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.
https://github.com/advisories/GHSA-cfgp-2977-2fmm

Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.
https://github.com/advisories/GHSA-9hxf-ppjv-w6rq

Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
https://github.com/grpc/grpc/pull/33656

There exists an vulnerability causing an abort() to be called in gRPC.  The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB.

gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.

Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. 
https://github.com/advisories/GHSA-6628-q6j9-w8vg