​
DirectorySecurity Advisories
Sign In
Security Advisories

CGA-w8w4-2885-pj8c

Published

Last updated

https://images.chainguard.dev/security/CGA-w8w4-2885-pj8c
Package

thanos-0.32

Latest Update
Fixed
Fixed Version

0.32.5-r1

Aliases
  • CVE-2023-44487
  • GHSA-m425-mq94-257g
  • GHSA-qppj-fm5r-hxr3

Severity

7.5

High

CVSS V3

Summary

gRPC-Go HTTP/2 Rapid Reset vulnerability

Description

Impact

In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.

Patches

This vulnerability was addressed by #6703 and has been included in patch releases: 1.56.3, 1.57.1, 1.58.3. It is also included in the latest release, 1.59.0.

Along with applying the patch, users should also ensure they are using the grpc.MaxConcurrentStreams server option to apply a limit to the server's resources used for any single connection.

Workarounds

None.

References

#6703

References

Updates


Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images