Resolve CVE-2023-32731#4647
Conversation
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #4647 +/- ##
=======================================
Coverage 84.98% 84.99%
=======================================
Files 314 314
Lines 12683 12685 +2
=======================================
+ Hits 10779 10781 +2
Misses 1904 1904
|
| <PackageVersion Include="Google.Protobuf" Version="[3.19.4,4.0)" /> | ||
| <PackageVersion Include="Grpc" Version="[2.44.0,3.0)" /> | ||
| <PackageVersion Include="Grpc.Net.Client" Version="[2.45.0,3.0)" /> | ||
| <PackageVersion Include="Grpc.Net.Client" Version="[2.52.0,3.0)" /> |
There was a problem hiding this comment.
Are you sure 2.52.0 contains the fix? Based on the PR you reference, it looks like when it was merged its commit is tagged with 2.53.0 grpc/grpc@29d8bee
There was a problem hiding this comment.
Oh, my mistake the fix was the PR is against the core grpc repo not Grpc.Net.Client.
There was a problem hiding this comment.
2.52.0 is also the lowest available version of the package with no known vulnerabilities.
There was a problem hiding this comment.
https://www.nuget.org/packages/Grpc.Net.Client this is the one we'll be using.
I guess the general rule here is to reference the lowest version that is not deprecated?
|
@Kielek heads up... |
|
@open-telemetry/dotnet-instrumentation-maintainers FYI |
|
@alanwest, thanks for the information. Unfortunately, it is a good reason to update. |
4 participants
When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.
grpc/grpc#32309