Amazon Linux 2023 : grpc, grpc-cpp, grpc-data (ALAS2023-2024-769)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2024-769 advisory. It's possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It's also possible to use this...

Information Disclosure

libgrpc.so is vulnerable to Information Disclosure. The vulnerability is due to an error status for a misencoded header not cleared between header reads, resulting in subsequent incrementally indexed added headers in the first request being poisoned until cleared from the HPACK table. This can be...

CentOS 9 : toolbox-0.0.99.3-9.el9

The remote CentOS Linux 9 host has packages installed that are affected by a vulnerability as referenced in the toolbox-0.0.99.3-9.el9 build changelog. - An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP heade...

Fedora 37 : gmailctl (2023-ca444fdecf)

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-ca444fdecf advisory. Rebuild for CVE-20220-3064,41717,41723 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that...

EulerOS 2.0 SP9 : golang (EulerOS-SA-2023-1442)

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header...

Fedora 37 : golang-github-google-dap (2023-8ecc0e487e)

The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-8ecc0e487e advisory. Update go-dap to 0.7.0, also fix CVE-2022-41717 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that...

golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests

A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache...

AZL-33573 CVE-2022-41717 affecting package containerized-data-importer for versions less than 1.55.0-20

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate...

Design/Logic Flaw

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate...

CVE-2022-41717 Excessive memory growth in net/http and golang.org/x/net/http2

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate...

GO-2022-1144 Excessive memory growth in net/http and golang.org/x/net/http2

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate...