CVE-2024-7246

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-7246
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-7246.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-7246
Aliases
Downstream
Related
Published
2024-08-06T11:16:07.587Z
Modified
2026-04-14T18:48:32.961463321Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

It's possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It's also possible to use this vulnerability to leak other clients HTTP header keys, but not values.

This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table.

Please update to a fixed version of gRPC as soon as possible. This bug has been fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4.

References

Affected packages

Git / github.com/grpc/grpc

Affected ranges

Type
GIT
Repo
https://github.com/grpc/grpc
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
14bcda7eae0ee99f6a6dceb8d6cc23f49362f577
Introduced
08cc1787de022069135004adfdd17938b5062319
Fixed
b22b8e6c8855f958afda436d9f1def216085d505
Introduced
0ef13a7555dbaadd4633399242524129eef5e231
Fixed
0bab87ede8244a21fce01294a364cc9a7fc99ed8
Introduced
a13178cb2537822bcdc552faba98fd9fa3c35b3e
Fixed
f66fc914209e10fd2ec95ba45509f39285a23ad4
Introduced
f78a54c5ad4e058734aa9b2beb9459940e4de342
Fixed
c48c8fc22325ad867b67fec3ba58290ce90d4741
Introduced
ac1418547838ab067a02af4402046f7bc1cbc44c
Fixed
79fb6564995720f750ef7bc31523101b8961b911
Introduced
b8a04acbbf18fd1c805e5d53d62ed9fa4721a4d1
Fixed
aef0f0ccc3d21a328282144b8aa666f3c570dfb9
Introduced
45479fda2a083c4e46310b9bb6e45e625e381269
Fixed
c3407b728428b84f4c0b8c1b653094903fe2f462
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.58.3"
        },
        {
            "introduced": "1.59.0"
        },
        {
            "fixed": "1.59.5"
        },
        {
            "introduced": "1.60.0"
        },
        {
            "fixed": "1.60.2"
        },
        {
            "introduced": "1.61.0"
        },
        {
            "fixed": "1.61.3"
        },
        {
            "introduced": "1.62.0"
        },
        {
            "fixed": "1.62.3"
        },
        {
            "introduced": "1.63.0"
        },
        {
            "fixed": "1.63.2"
        },
        {
            "introduced": "1.64.0"
        },
        {
            "fixed": "1.64.3"
        },
        {
            "introduced": "1.65.0"
        },
        {
            "fixed": "1.65.4"
        }
    ]
}

Affected versions

Other
release-0_6
release-0_6_0
release-0_9_0
release_test
release-0_9_1-objectivec-0.*
release-0_9_1-objectivec-0.5.1
v1.*
v1.3.4
v1.33.0
v1.41.0-pre1
v1.58.0
v1.58.0-pre1
v1.58.1
v1.58.2
v1.59.0
v1.59.1
v1.59.2
v1.59.3
v1.59.4
v1.60.0
v1.60.1
v1.61.0
v1.61.1
v1.61.2
v1.62.0
v1.62.1
v1.62.2
v1.63.0
v1.63.1
v1.64.0
v1.64.1
v1.64.2
v1.65.0
v1.65.1
v1.65.2
v1.65.3

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-7246.json"