CVE-2023-4785 Denial of Service in gRPC Core

2023-09-1316:31:55

CWE-248

Google

github.com

cve-2023-4785

grpc

denial of service

tcp server

error handling

posix platforms

linux

attack

connections

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation

none

Automatable

yes

Technical Impact

partial

JSON

Lack of error handling in the TCP server in Google’s gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:grpc:grpc:*:*:*:*:*:*:*:*"
    ],
    "vendor": "grpc",
    "product": "grpc",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "1.23",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "1.57"
      },
      {
        "status": "affected",
        "version": "1.56.0",
        "versionType": "custom",
        "lessThanOrEqual": "1.56.1"
      },
      {
        "status": "affected",
        "version": "1.55.0",
        "versionType": "custom",
        "lessThanOrEqual": "155.2"
      },
      {
        "status": "affected",
        "version": "1.54.0",
        "versionType": "custom",
        "lessThanOrEqual": "1.54.2"
      },
      {
        "status": "affected",
        "version": "1.53.0",
        "versionType": "custom",
        "lessThanOrEqual": "1.53.1"
      }
    ],
    "defaultStatus": "unknown"
  }
]