CVE-2023-32732 (grpc): gRPC connection termination issue

gRPC connection termination issue

Published: July 06, 2023

SECURITY IDENTIFIERS

CVE: CVE-2023-32732 (NVD)
GHSA: GHSA-9hxf-ppjv-w6rq
Vendor Advisory: https://github.com/grpc/grpc/releases/tag/v1.53.1

GEM

grpc

SEVERITY

CVSS v3.x: 5.3 (Medium)

PATCHED VERSIONS

>= 1.53.0

DESCRIPTION

gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in https://github.com/grpc/grpc/pull/32309.

https://nvd.nist.gov/vuln/detail/CVE-2023-32732
https://github.com/grpc/grpc/pull/32309
https://github.com/advisories/GHSA-9hxf-ppjv-w6rq

RubySec