fabio icon indicating copy to clipboard operation
fabio copied to clipboard

CVE-2023-44487 HTTP/2 rapid reset

Open tecnobrat opened this issue 10 months ago • 1 comments

There is a HTTP/2 vulnerability CVE-2023-44487

Golang has this issue which they are tracking fixes: https://github.com/golang/go/issues/63417

I did a scan with snyk which returns:

✗ High severity vulnerability found in google.golang.org/grpc
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328
  Introduced through: google.golang.org/[email protected], github.com/mwitkow/grpc-proxy/proxy@#0f1106ef9c76, github.com/osrg/gobgp/v3/[email protected], github.com/osrg/gobgp/v3/pkg/[email protected], github.com/osrg/gobgp/v3/pkg/[email protected]
  From: google.golang.org/[email protected]
  From: github.com/mwitkow/grpc-proxy/proxy@#0f1106ef9c76 > google.golang.org/[email protected]
  From: github.com/osrg/gobgp/v3/[email protected] > google.golang.org/[email protected]
  and 4 more...
  Fixed in: 1.56.3, 1.57.1, 1.58.3

tecnobrat avatar Oct 12 '23 15:10 tecnobrat

Could @dependabot help here?

tristanmorgan avatar Oct 12 '23 22:10 tristanmorgan