Path to dependency file: /test/fixtures/testdata/java/example_cc/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.grpc/grpc-protobuf/1.23.0/1428515d3aca8964dfdc4d4ba912d0fda0f41f2/grpc-protobuf-1.23.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.grpc/grpc-protobuf/1.23.0/1428515d3aca8964dfdc4d4ba912d0fda0f41f2/grpc-protobuf-1.23.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.grpc/grpc-protobuf/1.23.0/1428515d3aca8964dfdc4d4ba912d0fda0f41f2/grpc-protobuf-1.23.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.grpc/grpc-protobuf/1.23.0/1428515d3aca8964dfdc4d4ba912d0fda0f41f2/grpc-protobuf-1.23.0.jar
When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005
CVE-2023-32731 - High Severity Vulnerability
grpc-protobuf-1.23.0.jar
gRPC: Protobuf
Library home page: https://github.com/grpc/grpc-java
Path to dependency file: /test/fixtures/testdata/java/example_cc/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.grpc/grpc-protobuf/1.23.0/1428515d3aca8964dfdc4d4ba912d0fda0f41f2/grpc-protobuf-1.23.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.grpc/grpc-protobuf/1.23.0/1428515d3aca8964dfdc4d4ba912d0fda0f41f2/grpc-protobuf-1.23.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.grpc/grpc-protobuf/1.23.0/1428515d3aca8964dfdc4d4ba912d0fda0f41f2/grpc-protobuf-1.23.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.grpc/grpc-protobuf/1.23.0/1428515d3aca8964dfdc4d4ba912d0fda0f41f2/grpc-protobuf-1.23.0.jar
Dependency Hierarchy: - fabric-chaincode-shim-1.4.8.jar (Root Library) - fabric-chaincode-protos-1.4.8.jar - :x: **grpc-protobuf-1.23.0.jar** (Vulnerable Library)
Found in base branch: main
When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005
Publish Date: 2023-06-09
URL: CVE-2023-32731
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-32731
Release Date: 2023-06-09
Fix Resolution: grpc - 1.53.1,1.54.2, grpcio - 1.53.1,1.54.2
Step up your Open Source Security Game with Mend here