CVE-2023-32731: Information leak in gRPC
First published: Fri Jun 09 2023(Updated: )
gRPC could allow a remote attacker to obtain sensitive information, caused by a flaw when gRPC HTTP2 stack raised a header size exceeded error. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
Credit: cve-coordination@google.com cve-coordination@google.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Grpc Grpc | >=1.53.0<1.55.0 | |
| rubygems/grpc | <1.53.0 | 1.53.0 |
| pip/grpcio | <1.53.0 | 1.53.0 |
| maven/io.grpc:grpc-protobuf | <1.53.0 | 1.53.0 |
| IBM Cloud Pak for Business Automation | <=V23.0.1 - V23.0.1-IF001 | |
| IBM Cloud Pak for Business Automation | <=V21.0.3 - V21.0.3-IF023 | |
| IBM Cloud Pak for Business Automation | <=V22.0.2 - V22.0.2-IF006 and later fixes V22.0.1 - V22.0.1-IF006 and later fixes V21.0.2 - V21.0.2-IF012 and later fixes V21.0.1 - V21.0.1-IF007 and later fixes V20.0.1 - V20.0.3 and later fixes V19.0.1 - V19.0.3 and later fixes V18.0.0 - V18.0.2 and later fixes |
Remedy
Fixes available in these releases: - 1.52.2: https://github.com/grpc/grpc/releases/tag/v1.52.2 https://github.com/grpc/grpc/releases/tag/v1.52.2 - 1.53.1: https://github.com/grpc/grpc/releases/tag/v1.53.1 https://github.com/grpc/grpc/releases/tag/v1.53.1 - 1.54.2: https://github.com/grpc/grpc/releases/tag/v1.54.2 https://github.com/grpc/grpc/releases/tag/v1.54.2 - 1.55.0: https://github.com/grpc/grpc/releases/tag/v1.55.0 https://github.com/grpc/grpc/releases/tag/v1.55.0
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/grpc/grpc/pull/32309
- https://github.com/grpc/grpc/pull/33005
- https://nvd.nist.gov/vuln/detail/CVE-2023-32731
- https://github.com/grpc/grpc/issues/33463
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/grpc/CVE-2023-32731.yml
- https://github.com/advisories/GHSA-cfgp-2977-2fmm (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/257688
- https://www.ibm.com/support/pages/node/7030357 (Advisory)
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2023-32731.
What is the severity of CVE-2023-32731?
The severity of CVE-2023-32731 is high, with a CVSS score of 7.5.
Which software is affected by CVE-2023-32731?
Grpc versions 1.53.0 to 1.55.0 are affected by CVE-2023-32731.
What is the impact of CVE-2023-32731?
CVE-2023-32731 can cause a desynchronization of HPACK tables between sender and receiver, leading to potential data inconsistencies.
How can I fix CVE-2023-32731?
Update Grpc to a version later than 1.55.0 to mitigate CVE-2023-32731.
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-cfgp-2977-2fmm
- alias/CVE-2023-32731
- collector/nvd-cve
- collector/github-advisory
- agent/author
- agent/type
- agent/severity
- agent/weakness
- agent/references
- agent/softwarecombine
- agent/description
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/title
- agent/last-modified-date
- agent/tags
- agent/first-publish-date
- agent/event
- vendor/grpc
- canonical/grpc grpc
- version/grpc grpc/1.53.0
- package-manager/rubygems
- package-manager/pip
- package-manager/maven
- vendor/ibm
- canonical/ibm cloud pak for business automation
- version/ibm cloud pak for business automation/v23.0.1 - v23.0.1-if001
- version/ibm cloud pak for business automation/v21.0.3 - v21.0.3-if023
- version/ibm cloud pak for business automation/v22.0.2 - v22.0.2-if006 and later fixes v22.0.1 - v22.0.1-if006 and later fixes v21.0.2 - v21.0.2-if012 and later fixes v21.0.1 - v21.0.1-if007 and later fixes v20.0.1 - v20.0.3 and later fixes v19.0.1 - v19.0.3 and later fixes v18.0.0 - v18.0.2 and later fixes