blob: 17d5644b52a2ce024ab7e4e77b18bfe997ff3463 [file] [log] [blame]
id: GO-2023-2153
modules:
- module: google.golang.org/grpc
versions:
- fixed: 1.56.3
- introduced: 1.57.0
- fixed: 1.57.1
- introduced: 1.58.0
- fixed: 1.58.3
vulnerable_at: 1.58.2
packages:
- package: google.golang.org/grpc/internal/transport
symbols:
- NewServerTransport
- package: google.golang.org/grpc
symbols:
- Server.initServerWorkers
derived_symbols:
- NewServer
- Server.Serve
summary: Denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc
description: |-
An attacker can send HTTP/2 requests, cancel them, and send subsequent requests.
This is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to
launch more concurrent method handlers than the configured maximum stream limit,
grpc.MaxConcurrentStreams. This results in a denial of service due to resource
consumption.
ghsas:
- GHSA-m425-mq94-257g
related:
- CVE-2023-44487
references:
- web: https://github.com/grpc/grpc-go/pull/6703
- fix: https://github.com/grpc/grpc-go/commit/f2180b4d5403d2210b30b93098eb7da31c05c721
review_status: REVIEWED