Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-7246

Good to know:

icon

Date: August 6, 2024

It's possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It's also possible to use this vulnerability to leak other clients HTTP header keys, but not values. This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table. Please update to a fixed version of gRPC as soon as possible. This bug has been fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4.

Language: C++

Severity Score

Related Resources (3)

https://github.com/grpc/grpc/issues/36245
https://nvd.nist.gov/vuln/detail/CVE-2024-7246
https://www.mend.io/vulnerability-database/CVE-2024-7246

Severity Score

Weakness Type (CWE)

Expected Behavior Violation

CWE-440

Top Fix

icon

Upgrade Version

Upgrade to version v1.58.3,v1.59.5,v1.60.2,v1.61.3,v1.62.3,v1.63.2,v1.64.3,v1.65.4

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): CHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): LOW

Do you need more information?

Contact Us