afero CVE-2023-44487: golang.org/grpc <1.56.3 >=1.57.0 <1.57.1 >=1.58.0 <1.58.3

CVE-2023-44487: golang.org/grpc <1.56.3 >=1.57.0 <1.57.1 >=1.58.0 <1.58.3

Open amaschas opened this issue 9 months ago • 0 comments

golang.org//grpc versions <1.56.3 >=1.57.0 <1.57.1 >=1.58.0 <1.58.3 are vulnerable to https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

This was flagged in a Snyk security report, and the package appears to be a downstream dependency of golang.org/x/crypto to the best of my ability to determine. The dependencies for this package in go.mod appear to be pointing to specific commits, so I'm not sure what the history is there, and what the best path for remediation is.

https://www.cve.org/CVERecord?id=CVE-2023-44487 https://www.mend.io/vulnerability-database/CVE-2023-44487

Nov 13 '23 19:11 amaschas

afero afero copied to clipboard

CVE-2023-44487: golang.org/grpc <1.56.3 >=1.57.0 <1.57.1 >=1.58.0 <1.58.3

afero
afero copied to clipboard