grpc: client communicating with a HTTP/2 proxy can poison the HPACK table between the proxy and the backend

A flaw was found in Google gRPC due to HPACK table poisoning between the proxy and backend so that other clients see failed requests, resulting in a denial of service. This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent...

grpc: client communicating with a HTTP/2 proxy can poison the HPACK table between the proxy and the backend

A flaw was found in Google gRPC due to HPACK table poisoning between the proxy and backend so that other clients see failed requests, resulting in a denial of service. This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent...

OESA-2024-2064 grpc security update

gRPC is a modern open source high performance RPC framework that can run in any environment. It can efficiently connect services in and across data centers with pluggable support for load balancing, tracing, health checking and authentication. It is also applicable in last mile of distributed...

Information Disclosure

libgrpc.so is vulnerable to Information Disclosure. The vulnerability is due to an error status for a misencoded header not cleared between header reads, resulting in subsequent incrementally indexed added headers in the first request being poisoned until cleared from the HPACK table. This can be...

Expected Behavior Violation

Overview Affected versions of this package are vulnerable to Expected Behavior Violation via the HPackParser function when the gRPC client is communicating with an HTTP/2 proxy, allowing the attacker to poison the HPACK table. By manipulating the header encoding and poisoning the HPACK table...