Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-32731 (High) detected in grpc-protobuf-1.45.0.jar #3129

Closed
mend-for-github-com bot opened this issue Aug 9, 2023 · 1 comment
Closed

CVE-2023-32731 (High) detected in grpc-protobuf-1.45.0.jar #3129

mend-for-github-com bot opened this issue Aug 9, 2023 · 1 comment
Assignees
@asifsmohammed
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource
Milestone
v2.5

Comments

@mend-for-github-com
Copy link
Contributor

mend-for-github-com bot commented Aug 9, 2023
edited
Loading

CVE-2023-32731 - High Severity Vulnerability

Vulnerable Library - grpc-protobuf-1.45.0.jar

gRPC: Protobuf

Path to dependency file: /data-prepper-plugins/otel-logs-source/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.grpc/grpc-protobuf/1.45.0/f41a3849091a95af98d009294cd8572b3d152a43/grpc-protobuf-1.45.0.jar

Dependency Hierarchy:

  • armeria-grpc-1.15.0.jar (Root Library)
    • grpc-protobuf-1.45.0.jar (Vulnerable Library)

Found in HEAD commit: 90bdaa7e7833bdd504c817e49d4434b4d8880f56

Found in base branch: main

Vulnerability Details

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in  grpc/grpc#33005 grpc/grpc#33005

Publish Date: 2023-06-09

URL: CVE-2023-32731

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cfgp-2977-2fmm

Release Date: 2023-06-09

Fix Resolution: grpc- 1.53.0;grpcio- 1.53.0;io.grpc:grpc-protobuf:1.53.0
@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Aug 9, 2023
@dlvenable dlvenable added this to the v2.4 milestone Aug 9, 2023
@asifsmohammed asifsmohammed modified the milestones: v2.4, v2.5 Aug 21, 2023
@dlvenable dlvenable self-assigned this Sep 7, 2023
@mend-for-github-com mend-for-github-com bot changed the title CVE-2023-32731 (High) detected in multiple libraries CVE-2023-32731 (High) detected in grpc-protobuf-1.49.1.jar, grpc-protobuf-1.45.0.jar Sep 12, 2023
@mend-for-github-com mend-for-github-com bot changed the title CVE-2023-32731 (High) detected in grpc-protobuf-1.49.1.jar, grpc-protobuf-1.45.0.jar CVE-2023-32731 (High) detected in grpc-protobuf-1.45.0.jar Sep 20, 2023
@dlvenable dlvenable removed their assignment Sep 25, 2023
@asifsmohammed
Copy link
Collaborator

Fixed here: #3351

@github-project-automation github-project-automation bot moved this from Unplanned to Done in Data Prepper Tracking Board Sep 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@asifsmohammed asifsmohammed

Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource
Projects
Data Prepper Tracking Board
Archived in project
Milestone
v2.5
Development

No branches or pull requests
2 participants
@dlvenable @asifsmohammed