CVE-2024-7246 Vulnerability Details

  /     /     /  

CVE-2024-7246 Metadata Quick Info

CVE Published: 06/08/2024 | CVE Updated: 06/08/2024 | CVE Year: 2024
Source: Google | Vendor: Google | Product: gRPC
Status : PUBLISHED

CVE-2024-7246 Description

It\'s possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It\'s also possible to use this vulnerability to leak other clients HTTP header keys, but not values. This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table. Please update to a fixed version of gRPC as soon as possible. This bug has been fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4.

Metrics

CVSS Version: 3.1 | Base Score: n/a
Vector: n/a

l➤ Exploitability Metrics:
    Attack Vector (AV)*
    Attack Complexity (AC)*
    Privileges Required (PR)*
    User Interaction (UI)*
    Scope (S)*

l➤ Impact Metrics:
    Confidentiality Impact (C)*
    Integrity Impact (I)*
    Availability Impact (A)*

Weakness Enumeration (CWE)

CWE-ID: CWE-440
CWE Name: CWE-440: Expected Behavior Violation
Source: Google

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID: CAPEC-220
CAPEC Description: CAPEC-220 Client-Server Protocol Manipulation


Source: NVD (National Vulnerability Database).

Last added CVEs

▸ CVE-2024-9999 ◂
Discovered: 12/11/2024
Status: PUBLISHED
▸ CVE-2024-9997 ◂
Discovered: 29/10/2024
Status: PUBLISHED
▸ CVE-2024-9996 ◂
Discovered: 29/10/2024
Status: PUBLISHED



Tags:
CVE-2024-7246 Vulnerability Details