CVE-2023-4785: Denial of Service in gRPC Core
First published: Wed Sep 13 2023(Updated: )
Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
Credit: cve-coordination@google.com cve-coordination@google.com cve-coordination@google.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Grpc Grpc | >=1.23.0<1.53.2 | |
| Grpc Grpc | >=1.54.0<1.54.3 | |
| Grpc Grpc | >=1.55.0<1.55.3 | |
| Grpc Grpc | =1.56.0 | |
| pip/grpcio | >=1.53.0<1.53.2 | 1.53.2 |
| pip/grpcio | >=1.54.0<1.54.3 | 1.54.3 |
| pip/grpcio | >=1.55.0<1.55.3 | 1.55.3 |
| rubygems/grpc | >=1.53.0<1.53.2 | 1.53.2 |
| rubygems/grpc | >=1.54.0<1.54.3 | 1.54.3 |
| rubygems/grpc | >=1.55.0<1.55.3 | 1.55.3 |
| rubygems/grpc | >=1.56.0<1.56.2 | 1.56.2 |
| redhat/grpc | <1.53.2 | 1.53.2 |
| redhat/grpc | <1.54.3 | 1.54.3 |
| redhat/grpc | <1.55.3 | 1.55.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/grpc/grpc/pull/33656
- https://github.com/grpc/grpc/pull/33667
- https://github.com/grpc/grpc/pull/33669
- https://github.com/grpc/grpc/pull/33670
- https://github.com/grpc/grpc/pull/33672
- https://nvd.nist.gov/vuln/detail/CVE-2023-4785
- https://groups.google.com/g/grpc-io/c/LlLkB1CeE4U
- https://rubygems.org/gems/grpc/versions/1.53.2
- https://rubygems.org/gems/grpc/versions/1.54.3
- https://rubygems.org/gems/grpc/versions/1.55.3
- https://rubygems.org/gems/grpc/versions/1.56.2
- https://github.com/advisories/GHSA-p25m-jpj4-qcrr (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2239188
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2239187
- https://access.redhat.com/errata/RHSA-2024:0797
- https://bugzilla.redhat.com/show_bug.cgi?id=2239017
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/grpc/CVE-2023-4785.yml
Frequently Asked Questions
What is CVE-2023-4785?
CVE-2023-4785 is a vulnerability in Google's gRPC library that allows an attacker to cause a denial of service by initiating a significant number of connections with the server.
Which platforms are affected by CVE-2023-4785?
CVE-2023-4785 affects posix-compatible platforms (e.g., Linux) where Google's gRPC version 1.23 or later is used.
What is the severity of CVE-2023-4785?
CVE-2023-4785 has a severity rating of 7.5 (high).
How can an attacker exploit CVE-2023-4785?
An attacker can exploit CVE-2023-4785 by initiating a significant number of connections with the gRPC server, causing a denial of service.
Are there any fixes available for CVE-2023-4785?
Yes, fixes for CVE-2023-4785 have been released. It is recommended to update to a patched version of Google's gRPC library to mitigate the vulnerability.
- collector/nvd-api
- collector/nvd-index
- agent/type
- agent/remedy
- agent/weakness
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/author
- agent/severity
- agent/softwarecombine
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-4785
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-p25m-jpj4-qcrr
- agent/references
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/tags
- agent/first-publish-date
- agent/event
- vendor/grpc
- canonical/grpc grpc
- version/grpc grpc/1.23.0
- version/grpc grpc/1.54.0
- version/grpc grpc/1.55.0
- version/grpc grpc/1.56.0
- package-manager/redhat
- package-manager/pip
- package-manager/rubygems