search

grpc-ecosystem / go-grpc-middleware

Golang gRPC Middlewares: interceptor chaining, auth, logging, retries and more.
Apache License 2.0
6.26k stars 690 forks source link

Fix for vulnerability CVE-2023-44487 #696

Closed vkaushik closed 6 months ago

vkaushik commented 6 months ago

Changes

This change includes updating the package "google.golang.org/grpc" as a fix to following vulnerability: Vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-44487 https://nvd.nist.gov/vuln/detail/CVE-2023-44487zThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

grpc fix version - https://github.com/grpc/grpc-go/releases/tag/v1.56.3

Verification

vkaushik commented 6 months ago

Hi @johanbrandhorst , please merge this change. This'll result in fixing warnings from vulnerability scanners in repos using this package.

johanbrandhorst commented 6 months ago

Thanks for your contribution!