Lucene search
HistoryAug 06, 2024 - 11:16 a.m.
CVE-2024-7246
grpc
hpack table
failed requests
http header
vulnerability
update
fixed version
EPSS
0
Percentile
9.5%
It’s possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It’s also possible to use this vulnerability to leak other clients HTTP header keys, but not values.
This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table.
Please update to a fixed version of gRPC as soon as possible. This bug has been fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4.
References
Related
alpinelinux
alpinelinux
CVE-2024-7246
2024-08-06 11:16:07
debiancve
debiancve
CVE-2024-7246
2024-08-06 11:16:07
veracode
veracode
Information Disclosure
2024-08-07 05:41:39
vulnrichment
vulnrichment
CVE-2024-7246 HPACK table poisoning in gRPC C++, Python & Ruby
2024-08-06 10:14:28
cvelist
cvelist
CVE-2024-7246 HPACK table poisoning in gRPC C++, Python & Ruby
2024-08-06 10:14:28
cve
cve
CVE-2024-7246
2024-08-06 11:16:07
osv
osv
CVE-2024-7246
2024-08-06 11:16:07
nessus
nessus
ubuntucve
ubuntucve
CVE-2024-7246
2024-08-06 00:00:00
redhatcve
redhatcve
CVE-2024-7246
2024-08-06 13:21:25
wolfi
wolfi
CVE-2024-7246 vulnerabilities
2024-09-19 21:18:36
photon
photon
Important Photon OS Security Update - PHSA-2024-5.0-0351
2024-08-21 00:00:00
redhat
redhat