Vulnerabilities > Grpc

DATE CVE VULNERABILITY TITLE RISK
2023-10-10 CVE-2023-44487 The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. 7.5
2023-09-13 CVE-2023-4785 Unspecified vulnerability in Grpc
Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex.
network
low complexity
grpc
7.5
2023-08-09 CVE-2023-33953 Excessive Iteration vulnerability in Grpc
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer.
network
low complexity
grpc CWE-834
7.5
2023-06-09 CVE-2023-1428 Reachable Assertion vulnerability in Grpc
There exists an vulnerability causing an abort() to be called in gRPC.  The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB.
network
low complexity
grpc CWE-617
7.5
2023-06-09 CVE-2023-32731 Unspecified vulnerability in Grpc
When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame.
network
low complexity
grpc
7.5
2023-06-09 CVE-2023-32732 gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.
network
low complexity
grpc fedoraproject
5.3
2020-11-11 CVE-2020-7768 Unspecified vulnerability in Grpc
The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.
network
low complexity
grpc
critical
9.8
2017-06-05 CVE-2017-9431 Out-of-bounds Write vulnerability in Grpc
Google gRPC before 2017-04-05 has an out-of-bounds write caused by a heap-based buffer overflow related to core/lib/iomgr/error.c.
network
low complexity
grpc CWE-787
critical
9.8
2017-04-30 CVE-2017-8359 Out-of-bounds Write vulnerability in Grpc
Google gRPC before 2017-03-29 has an out-of-bounds write caused by a heap-based use-after-free related to the grpc_call_destroy function in core/lib/surface/call.c.
network
low complexity
grpc CWE-787
critical
9.8
2017-04-14 CVE-2017-7861 Out-of-bounds Write vulnerability in Grpc
Google gRPC before 2017-02-22 has an out-of-bounds write related to the gpr_free function in core/lib/support/alloc.c.
network
low complexity
grpc CWE-787
critical
9.8