Package | Installed | Affected | Info |
---|---|---|---|
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
Package | Installed | Affected | Info |
---|---|---|---|
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
Package | Installed | Affected | Info |
---|---|---|---|
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
Package | Installed | Affected | Info |
---|---|---|---|
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
Package | Installed | Affected | Info |
---|---|---|---|
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
Package | Installed | Affected | Info |
---|---|---|---|
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
Package | Installed | Affected | Info |
---|---|---|---|
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
Package | Installed | Affected | Info |
---|---|---|---|
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
Package | Installed | Affected | Info |
---|---|---|---|
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0,<1.54.3 , >=1.55.0,<1.55.2 , >=1.56.0,<1.56.2 |
show gRPC has a vulnerability linked to hpack table accounting errors, causing potential unwanted disconnects between clients and servers. Identified vectors include unbounded memory buffering and CPU consumption within the HPACK parser, leading to denial-of-service (DOS) attacks. The CPU issue stems from excessive copying, resulting in inefficient parsing. Memory issues arise from delayed header size checks, allowing large strings to be buffered, and a quirk in HPACK's integer encoding, permitting infinite zero-padding. Additionally, metadata overflow checks per frame could enable infinite buffering, compromising gRPC's stability and security. |
grpcio | 1.46.3 | <1.53.0 |
show When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. https://github.com/advisories/GHSA-cfgp-2977-2fmm |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. https://github.com/advisories/GHSA-9hxf-ppjv-w6rq |
grpcio | 1.46.3 | <1.53.2 , >=1.54.0rc1,<1.54.3 , >=1.55.0rc1,<1.55.3 , >=1.56.0rc1,<1.56.2 |
show Grpcio 1.53.2, 1.54.3, 1.55.3 and 1.56.2 include a fix for CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 |
grpcio | 1.46.3 | <1.53.0 |
show There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. |
grpcio | 1.46.3 | <1.53.0 |
show gRPC contains a vulnerability whereby a client can cause a termination of the connection between an HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. |
grpcio | 1.46.3 | <1.53.0 |
show Grpcio 1.53.0 includes a fix for a Reachable Assertion vulnerability. https://github.com/advisories/GHSA-6628-q6j9-w8vg |
https://pyup.io/repos/github/amor71/mnqueues/python-3-shield.svg
[![Python 3](https://pyup.io/repos/github/amor71/mnqueues/python-3-shield.svg)](https://pyup.io/repos/github/amor71/mnqueues/)
.. image:: https://pyup.io/repos/github/amor71/mnqueues/python-3-shield.svg :target: https://pyup.io/repos/github/amor71/mnqueues/ :alt: Python 3
<a href="https://pyup.io/repos/github/amor71/mnqueues/"><img src="https://pyup.io/repos/github/amor71/mnqueues/shield.svg" alt="Python 3" /></a>
!https://pyup.io/repos/github/amor71/mnqueues/python-3-shield.svg(Python 3)!:https://pyup.io/repos/github/amor71/mnqueues/
{<img src="https://pyup.io/repos/github/amor71/mnqueues/python-3-shield.svg" alt="Python 3" />}[https://pyup.io/repos/github/amor71/mnqueues/]
https://pyup.io/repos/github/amor71/mnqueues/shield.svg
[![Updates](https://pyup.io/repos/github/amor71/mnqueues/shield.svg)](https://pyup.io/repos/github/amor71/mnqueues/)
.. image:: https://pyup.io/repos/github/amor71/mnqueues/shield.svg :target: https://pyup.io/repos/github/amor71/mnqueues/ :alt: Updates
<a href="https://pyup.io/repos/github/amor71/mnqueues/"><img src="https://pyup.io/repos/github/amor71/mnqueues/shield.svg" alt="Updates" /></a>
!https://pyup.io/repos/github/amor71/mnqueues/shield.svg(Updates)!:https://pyup.io/repos/github/amor71/mnqueues/
{<img src="https://pyup.io/repos/github/amor71/mnqueues/shield.svg" alt="Updates" />}[https://pyup.io/repos/github/amor71/mnqueues/]