AZL-31343 CVE-2023-44487 affecting package rook for versions less than 1.6.2-14

The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...

AZL-34771 CVE-2023-44487 affecting package grpc for versions less than 1.42.0-7

The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...

HTTP/2 Stream Cancellation Attack

HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RSTSTREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The clie...

PT-2023-6302 · Unknown +10 · Go Http2 Package +10

Name of the Vulnerable Software and Affected Versions: Go http2 package affected versions not specified Description: A malicious HTTP/2 client can cause excessive server resource consumption by rapidly creating requests and immediately resetting them. This allows the attacker to create a new...

Electrolink FM/DAB/TV Transmitter Pre-Auth MPFS Image Remote Code Execution Vulnerability

Electrolink FM/DAB/TV Transmitter allows access to an unprotected endpoint that allows an MPFS File System binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPROM, external serial Flash, or intern...

Safari browser loading Web page failure when accessing HTTP2 LB Virtual Server

If ADM Web Insight Client Side Management CSM is enabled, only the Safari browser is unable to open Web page via HTTP2 enabled LB Virtual Server. If ADM Web Insight Client Side Management CSM is disabled, issue does not occur. While other browsers i.e. Firefox, Chrome work fine regardless of the...

Important: amazon-ecr-credential-helper

Issue Overview: http2/hpack: avoid quadratic complexity in hpack decoding CVE-2022-41723 Affected Packages: amazon-ecr-credential-helper Note: This advisory is applicable to Amazon Linux 2 - Nitro-enclaves Extra. Visit this page to learn more about Amazon Linux 2 AL2 Extras and this FAQ section f...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : sccache (SUSE-SU-2023:3526-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3526-1 advisory. - An issue was discovered in the tokio crate before 1.8.4, and 1.9.x through 1.13.x before 1.13....

Security Bulletin: Mutiple Vulnerabilties Affecting IBM Watson Machine Learning Accelerator

Summary IBM Watson Machine Learning Accelerator 1.2.x is vulnerable to several vulnerabilities coming from dependent compoents. These are addressed. Vulnerability Details CVEID:CVE-2023-20863 DESCRIPTION: VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input...

Important: Red Hat Security Advisory: Migration Toolkit for Applications security and bug fix update

Migration Toolkit for Applications 6.2.0 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the...

Amazon Linux 2023 : grpc, grpc-cpp, grpc-data (ALAS2023-2023-282)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-282 advisory. 2023-10-12: CVE-2023-4785 was added to this advisory. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table...

Important: cni-plugins

Issue Overview: http2/hpack: avoid quadratic complexity in hpack decoding CVE-2022-41723 Affected Packages: cni-plugins Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories. Issue Correction:...

Fedora 37 : grpc (2023-6cad6e5003)

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-6cad6e5003 advisory. Security fix for CVE-2023-32732 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus h...

Fedora 38 : grpc (2023-15b3e80753)

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-15b3e80753 advisory. Security fix for CVE-2023-32732 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus h...

Connection Termination

grpc is vulnerable to Connection Termination. An attacker can terminate the connection between a HTTP2 proxy and the gRPC server by providing a -bin suffixed headers, which leads to a base64 encoding error, causing an application crash...

golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding

A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of requests...

Moderate: Red Hat Security Advisory: Red Hat Service Interconnect 1.4 Release security update

This is release 1.4 of the rpms for Red Hat Service Interconnect. Red Hat Service Interconnect 1.4 introduces a service network, linking TCP and HTTP services across the hybrid cloud. A service network enables communication between services running in different network locations or sites. It allo...

Connection Confusion

grpc is vulnerable to Connection Confusion. The vulnerability exists when the gRPC HTTP2 stack raised a header size exceeded error, and it skipped parsing the rest of the HPACK frame, which caused any HPACK table mutations also to be skipped, resulting in the desynchronization of HPACK tables...

gRPC connection termination issue

gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyo...

GHSA-6628-Q6J9-W8VG gRPC Reachable Assertion issue

There exists an vulnerability causing an abort to be called in gRPC. The following headers cause gRPC's C++ implementation to abort when called via http2: te: x x != trailers :scheme: x x != http, https grpclbclientstats: x x == anything On top of sending one of those headers, a later header must...