​
DirectorySecurity Advisories
Sign In
Security Advisories

CGA-ggp4-vw2x-23hx

Published

Last updated

https://images.chainguard.dev/security/CGA-ggp4-vw2x-23hx
Package

wavefront-proxy

Latest Update
Fixed
Fixed Version

13.4-r1

Aliases
  • CVE-2023-32731
  • GHSA-cfgp-2977-2fmm

Severity

7.4

High

CVSS V3

Summary

Connection confusion in gRPC

Description

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in  https://github.com/grpc/grpc/pull/32309

References

Updates

Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images

Why Chainguard

Container Image SecurityVulnerability RemediationCompliance and Risk MitigationSoftware Supply Chain SecurityAI/ML Security

Customers

Customer StoriesChainguard Love

Company

About UsOpen SourceCareersNewsroomLegal

Resources

Unchained BlogResearchEventsTrust CenterDocumentation