Package | Installed | Affected | Info |
---|---|---|---|
black | 22.3.0 | <24.3.0 |
show Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. |
black | 22.3.0 | <24.3.0 |
show Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. |
bandit | 1.7.4 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
black | 22.3.0 | <24.3.0 |
show Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
Package | Installed | Affected | Info |
---|---|---|---|
black | 22.3.0 | <24.3.0 |
show Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. |
black | 22.3.0 | <24.3.0 |
show Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. |
bandit | 1.7.4 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
black | 22.3.0 | <24.3.0 |
show Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
Package | Installed | Affected | Info |
---|---|---|---|
black | 22.3.0 | <24.3.0 |
show Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. |
black | 22.3.0 | <24.3.0 |
show Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. |
bandit | 1.7.4 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
black | 22.3.0 | <24.3.0 |
show Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
Package | Installed | Affected | Info |
---|---|---|---|
bandit | 1.7.4 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
Package | Installed | Affected | Info |
---|---|---|---|
bandit | 1.7.4 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
Package | Installed | Affected | Info |
---|---|---|---|
bandit | 1.7.4 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
Package | Installed | Affected | Info |
---|---|---|---|
bandit | 1.7.4 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
Package | Installed | Affected | Info |
---|---|---|---|
bandit | 1.7.4 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
Package | Installed | Affected | Info |
---|---|---|---|
bandit | 1.7.4 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
black | 22.3.0 | <24.3.0 |
show Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
Package | Installed | Affected | Info |
---|---|---|---|
black | 22.3.0 | <24.3.0 |
show Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. |
black | 22.3.0 | <24.3.0 |
show Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. |
bandit | 1.7.4 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
black | 22.3.0 | <24.3.0 |
show Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
Package | Installed | Affected | Info |
---|---|---|---|
black | 22.3.0 | <24.3.0 |
show Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. |
black | 22.3.0 | <24.3.0 |
show Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. |
bandit | 1.7.4 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
black | 22.3.0 | <24.3.0 |
show Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
Package | Installed | Affected | Info |
---|---|---|---|
black | 22.3.0 | <24.3.0 |
show Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. |
black | 22.3.0 | <24.3.0 |
show Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. |
bandit | 1.7.4 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
black | 22.3.0 | <24.3.0 |
show Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
Package | Installed | Affected | Info |
---|---|---|---|
black | 22.3.0 | <24.3.0 |
show Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. |
black | 22.3.0 | <24.3.0 |
show Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. |
bandit | 1.7.4 | <1.7.7 |
show Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code. https://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8 |
black | 22.3.0 | <24.3.0 |
show Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
https://pyup.io/repos/github/amor71/mnqueues/python-3-shield.svg
[![Python 3](https://pyup.io/repos/github/amor71/mnqueues/python-3-shield.svg)](https://pyup.io/repos/github/amor71/mnqueues/)
.. image:: https://pyup.io/repos/github/amor71/mnqueues/python-3-shield.svg :target: https://pyup.io/repos/github/amor71/mnqueues/ :alt: Python 3
<a href="https://pyup.io/repos/github/amor71/mnqueues/"><img src="https://pyup.io/repos/github/amor71/mnqueues/shield.svg" alt="Python 3" /></a>
!https://pyup.io/repos/github/amor71/mnqueues/python-3-shield.svg(Python 3)!:https://pyup.io/repos/github/amor71/mnqueues/
{<img src="https://pyup.io/repos/github/amor71/mnqueues/python-3-shield.svg" alt="Python 3" />}[https://pyup.io/repos/github/amor71/mnqueues/]
https://pyup.io/repos/github/amor71/mnqueues/shield.svg
[![Updates](https://pyup.io/repos/github/amor71/mnqueues/shield.svg)](https://pyup.io/repos/github/amor71/mnqueues/)
.. image:: https://pyup.io/repos/github/amor71/mnqueues/shield.svg :target: https://pyup.io/repos/github/amor71/mnqueues/ :alt: Updates
<a href="https://pyup.io/repos/github/amor71/mnqueues/"><img src="https://pyup.io/repos/github/amor71/mnqueues/shield.svg" alt="Updates" /></a>
!https://pyup.io/repos/github/amor71/mnqueues/shield.svg(Updates)!:https://pyup.io/repos/github/amor71/mnqueues/
{<img src="https://pyup.io/repos/github/amor71/mnqueues/shield.svg" alt="Updates" />}[https://pyup.io/repos/github/amor71/mnqueues/]