Incomplete Internal State Distinction Affecting github.com/grpc/grpc-swift package, versions >=1.0.0 <1.2.0


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.57% (79th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-SWIFT-GRPCGRPCSWIFT-3105798
  • published6 Nov 2022
  • disclosed6 Nov 2022
  • creditOSS-Fuzz

Introduced: 6 Nov 2022

CVE-2021-36153  (opens in a new tab)
CWE-372  (opens in a new tab)

How to fix?

Upgrade grpc/grpc-swift to version 1.2.0 or higher.

Overview

grpc/grpc-swift is a Swift language implementation of gRPC.

Affected versions of this package are vulnerable to Incomplete Internal State Distinction when parsing certain gRPC Web requests. This may lead to a DoS.

CVSS Scores

version 3.1