vulnerability
Amazon Linux 2023: CVE-2024-7246: Medium priority package update for grpc
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:M/Au:N/C:P/I:N/A:P) | Aug 6, 2024 | Feb 17, 2025 | Jul 4, 2025 |
Severity
6
CVSS
(AV:N/AC:M/Au:N/C:P/I:N/A:P)
Published
Aug 6, 2024
Added
Feb 17, 2025
Modified
Jul 4, 2025
Description
It's possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It's also possible to use this vulnerability to leak other clients HTTP header keys, but not values.
This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table.
Please update to a fixed version of gRPC as soon as possible. This bug has been fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4.
A flaw was found in Google gRPC due to HPACK table poisoning between the proxy and backend so that other clients see failed requests, resulting in a denial of service. This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table. By sending a specially crafted request, an attacker could leak other clients HTTP header keys. Attackers are only able to access HTTP header keys but not values.
This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table.
Please update to a fixed version of gRPC as soon as possible. This bug has been fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4.
A flaw was found in Google gRPC due to HPACK table poisoning between the proxy and backend so that other clients see failed requests, resulting in a denial of service. This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table. By sending a specially crafted request, an attacker could leak other clients HTTP header keys. Attackers are only able to access HTTP header keys but not values.
Solutions
amazon-linux-2023-upgrade-grpcamazon-linux-2023-upgrade-grpc-cppamazon-linux-2023-upgrade-grpc-cpp-debuginfoamazon-linux-2023-upgrade-grpc-dataamazon-linux-2023-upgrade-grpc-debuginfoamazon-linux-2023-upgrade-grpc-debugsourceamazon-linux-2023-upgrade-grpc-develamazon-linux-2023-upgrade-grpc-docamazon-linux-2023-upgrade-grpc-pluginsamazon-linux-2023-upgrade-grpc-plugins-debuginfo
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.