gRPC 1.23+ TCP Server DoS via Unhandled Connections
CVE-2023-4785 Published on September 13, 2023
Denial of Service in gRPC Core
Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
Vulnerability Analysis
CVE-2023-4785 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
Uncaught Exception
An exception is thrown from a function, but it is not caught. When an exception is not caught, it may cause the program to crash or expose sensitive information.
Products Associated with CVE-2023-4785
stack.watch emails you whenever new vulnerabilities are published in Grpc or Oracle. Just hit a watch button to start following.
Affected Versions
Google gRPC:- Before 1.23 is unaffected.
- Version 1.57 is unaffected.
- Version 1.56.0, <= 1.56.1 is affected.
- Version 1.55.0, <= 1.55.2 is affected.
- Version 1.54.0, <= 1.54.2 is affected.
- Version 1.53.0, <= 1.53.1 is affected.
- Before 1.23 is affected.
- Version 1.57 is affected.
- Version 1.56.0, <= 1.56.1 is affected.
- Version 1.55.0, <= 155.2 is affected.
- Version 1.54.0, <= 1.54.2 is affected.
- Version 1.53.0, <= 1.53.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.