CVE-2023-4785

Denial of Service Vulnerability in gRPC TCP Server (Posix-compatible platforms) in pypi/grpcio

Identifiers

GHSA-p25m-jpj4-qcrr, CVE-2023-4785

Package Slug

pypi/grpcio

Vulnerability

Denial of Service Vulnerability in gRPC TCP Server (Posix-compatible platforms)

Description

Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.

Affected Versions

All versions starting from 1.53.0 before 1.53.2, all versions starting from 1.54.0 before 1.54.3, all versions starting from 1.55.0 before 1.55.3

Solution

Upgrade to versions 1.54.3, 1.55.3, 1.53.2 or above.

Last Modified

2024-02-12

source