Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[🐸 Frogbot] Update version of google.golang.org/grpc to 1.53.0 #2062

Merged
merged 2 commits into from
Jul 6, 2023
Merged

[🐸 Frogbot] Update version of google.golang.org/grpc to 1.53.0 #2062

merged 2 commits into from
Jul 6, 2023

Conversation

github-actions[bot]
Copy link
Contributor

@github-actions github-actions bot commented Jul 6, 2023
edited by omerzi
Loading

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY CONTEXTUAL ANALYSIS DIRECT DEPENDENCIES IMPACTED DEPENDENCY FIXED VERSIONS

High		 $\color{}{\textsf{Undetermined}}$ google.golang.org/grpc:v1.52.0
github.com/spf13/viper:v1.15.0		 google.golang.org/grpc:v1.52.0 1.53.0

👇 Details

  • Severity: 🔥 High
  • Package Name: google.golang.org/grpc
  • Current Version: v1.52.0
  • Fixed Version: 1.53.0
  • CVEs: CVE-2023-32731

Description:

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in� grpc/grpc#33005 grpc/grpc#33005

@omerzi omerzi added the safe to test Approve running integration tests on a pull request label Jul 6, 2023
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Jul 6, 2023
@omerzi omerzi changed the base branch from v2 to dev July 6, 2023 05:22
@omerzi omerzi added the safe to test Approve running integration tests on a pull request label Jul 6, 2023
@omerzi omerzi temporarily deployed to frogbot July 6, 2023 05:23 — with GitHub Actions Inactive
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Jul 6, 2023
@github-actions
Copy link
Contributor Author

github-actions bot commented Jul 6, 2023

@omerzi omerzi merged commit c8a87b5 into dev Jul 6, 2023
@omerzi omerzi deleted the frogbot-google.golang.org/grpc-3787cdadfbbb1236909df9b08c0b5784 branch July 6, 2023 05:54
@chenrui333 chenrui333 mentioned this pull request Jul 12, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@omerzi @JFrog-Frogbot