CVE-2024-7246 Affecting libgrpc37 package, versions <1.60.0-150600.15.3.1


Severity

Recommended
0.0
medium
0
10

Based on SUSE Linux Enterprise Server security rating.

Threat Intelligence

EPSS
0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-SLES156-LIBGRPC37-8547749
  • published21 Dec 2024
  • disclosed20 Dec 2024

Introduced: 20 Dec 2024

NewCVE-2024-7246  (opens in a new tab)

How to fix?

Upgrade SLES:15.6 libgrpc37 to version 1.60.0-150600.15.3.1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream libgrpc37 package and not the libgrpc37 package as distributed by SLES. See How to fix? for SLES:15.6 relevant fixed versions and status.

It's possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It's also possible to use this vulnerability to leak other clients HTTP header keys, but not values.

This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table.

Please update to a fixed version of gRPC as soon as possible. This bug has been fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4.

CVSS Scores

version 3.1