Lucene search
GoogleCVE-2024-7246HistoryAug 06, 2024 - 11:16 a.m.
CVE-2024-7246
2024-08-0611:16:07
CWE-440
Google
web.nvd.nist.gov
19
grpc
hpack table
http/2 proxy
CVSS4
6.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/SC:N/VI:N/SI:N/VA:L/SA:L
AI Score
6.4
Confidence
High
EPSS
0
Percentile
9.5%
It’s possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It’s also possible to use this vulnerability to leak other clients HTTP header keys, but not values.
This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table.
Please update to a fixed version of gRPC as soon as possible. This bug has been fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4.
Affected configurations
Node
googlegrpcRange≤1.53.0
ORgooglegrpcRange≤1.53.1
ORgooglegrpcRange≤1.53.2
ORgooglegrpcRange≤1.54.0
ORgooglegrpcRange≤1.54.1
ORgooglegrpcRange≤1.54.3
ORgooglegrpcRange≤1.55.0
ORgooglegrpcRange≤1.55.1
ORgooglegrpcRange≤1.55.3
ORgooglegrpcRange≤1.55.4
ORgooglegrpcRange≤1.56.0
ORgooglegrpcRange≤1.56.1
ORgooglegrpcRange≤1.56.2
ORgooglegrpcRange≤1.56.3
ORgooglegrpcRange≤1.56.4
ORgooglegrpcRange≤1.57.0
ORgooglegrpcRange≤1.57.1
ORgooglegrpcRange≤1.58.0
ORgooglegrpcRange≤1.58.1
ORgooglegrpcRange≤1.58.2
ORgooglegrpcRange≤1.59.0
ORgooglegrpcRange≤1.59.1
ORgooglegrpcRange≤1.59.2
ORgooglegrpcRange≤1.59.3
ORgooglegrpcRange≤1.59.4
ORgooglegrpcRange≤1.60.0
ORgooglegrpcRange≤1.60.1
ORgooglegrpcRange≤1.61.0
ORgooglegrpcRange≤1.61.1
ORgooglegrpcRange≤1.62.0
ORgooglegrpcRange≤1.61.2
ORgooglegrpcRange≤1.62.1
ORgooglegrpcRange≤1.62.2
ORgooglegrpcRange≤1.63.0
ORgooglegrpcRange≤1.63.1
ORgooglegrpcRange≤1.64.0
ORgooglegrpcRange≤1.64.1
ORgooglegrpcRange≤1.64.2
ORgooglegrpcRange≤1.65.0
ORgooglegrpcRange≤1.65.1
ORgooglegrpcRange≤1.65.2
ORgooglegrpcRange≤1.65.3
CNA Affected
[
{
"defaultStatus": "unaffected",
"product": "gRPC",
"repo": "https://github.com/grpc",
"vendor": "Google",
"versions": [
{
"status": "affected",
"version": "1.53.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.53.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.53.2",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.54.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.54.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.54.3",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.55.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.55.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.55.3",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.55.4",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.56.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.56.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.56.2",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.56.3",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.56.4",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.57.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.57.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.58.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.58.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.58.2",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.59.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.59.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.59.2",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.59.3",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.59.4",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.60.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.60.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.61.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.61.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.62.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.61.2",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.62.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.62.2",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.63.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.63.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.64.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.64.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.64.2",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.65.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.65.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.65.2",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.65.3",
"versionType": "custom"
}
]
}
]References
Related
nvd
nvd
CVE-2024-7246
2024-08-06 11:16:07
alpinelinux
alpinelinux
CVE-2024-7246
2024-08-06 11:16:07
debiancve
debiancve
CVE-2024-7246
2024-08-06 11:16:07
veracode
veracode
Information Disclosure
2024-08-07 05:41:39
vulnrichment
vulnrichment
CVE-2024-7246 HPACK table poisoning in gRPC C++, Python & Ruby
2024-08-06 10:14:28
cvelist
cvelist
CVE-2024-7246 HPACK table poisoning in gRPC C++, Python & Ruby
2024-08-06 10:14:28
osv
osv
CVE-2024-7246
2024-08-06 11:16:07
nessus
nessus
ubuntucve
ubuntucve
CVE-2024-7246
2024-08-06 00:00:00
redhatcve
redhatcve
CVE-2024-7246
2024-08-06 13:21:25
wolfi
wolfi
CVE-2024-7246 vulnerabilities
2024-09-19 21:18:36
photon
photon
Important Photon OS Security Update - PHSA-2024-5.0-0351
2024-08-21 00:00:00
redhat
redhat
CVSS4
6.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/SC:N/VI:N/SI:N/VA:L/SA:L
AI Score
6.4
Confidence
High
EPSS
0
Percentile
9.5%
Related for CVE-2024-7246