Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Information leak in gRPC
Vulnerability Description
When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
Vulnerability Type
预期行为违背
Vulnerability Title
gRPC 安全漏洞
Vulnerability Description
gRPC是gRPC开源的一种现代、开源、高性能的远程过程调用 (RPC) 框架。 gRPC存在安全漏洞,该漏洞源于当 gRPC HTTP2 堆栈引发标头大小超出错误时,它会跳过解析 HPACK 帧的其余部分。这导致任何 HPACK 表的改动也被跳过,导致发送方和接收方之间的 HPACK 表不同步。攻击者利用该漏洞导致信息泄露和权限提升。
CVSS Information
N/A
Vulnerability Type
N/A