Lucene search

Alpine Linux Development TeamALPINE:CVE-2024-7246

HistoryAug 06, 2024 - 11:16 a.m.

CVE-2024-7246

2024-08-0611:16:07

Alpine Linux Development Team

security.alpinelinux.org

grpc

hpack

http/2 proxy

failed requests

vulnerability

http header leakage

fixed version

update

bug fixed

grpc versions

CVSS4

6.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/SC:N/VI:N/SI:N/VA:L/SA:L

AI Score

7.2

Confidence

Low

EPSS

Percentile

9.5%

JSON

It’s possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It’s also possible to use this vulnerability to leak other clients HTTP header keys, but not values.

This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table.

Please update to a fixed version of gRPC as soon as possible. This bug has been fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4.

OSVersionArchitecturePackageVersionFilename
Alpineedge-communitynoarchgrpc= 1.62.1-r1UNKNOWN
Alpine3.20-communitynoarchgrpc= 1.62.1-r0UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Alpine	edge-community	noarch	grpc	= 1.62.1-r1	UNKNOWN
Alpine	3.20-community	noarch	grpc	= 1.62.1-r0	UNKNOWN

CVSS4

6.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/SC:N/VI:N/SI:N/VA:L/SA:L

AI Score

7.2

Confidence

Low

EPSS

Percentile

9.5%

JSON

Related for ALPINE:CVE-2024-7246