CVE-2023-1428
Denial of Service vulnerability in grpc-protobuf (Maven)
What is CVE-2023-1428 About?
This vulnerability in gRPC's C++ implementation causes the application to abort when specific HTTP/2 headers are processed, leading to a denial of service. Exploitation requires sending specially crafted headers with a total size exceeding 8KB, making it a moderately complex attack.
Affected Software
- io.grpc:grpc-protobuf
- <1.53.0
- grpcio
- <1.53.0
- grpc
- <1.53.0
Technical Details
An issue exists in gRPC's C++ implementation where calling abort() is triggered by specific HTTP/2 headers. The problematic headers include te: x (where x is not 'trailers'), :scheme: x (where x is not 'http' or 'https'), or grpclb_client_stats: x (for any value of x). To successfully trigger the abort, an attacker must send one of these problematic headers, followed by subsequent headers that collectively increase the total header size beyond 8KB. This large header size, combined with the specific header values, causes the gRPC C++ implementation to terminate unexpectedly.
What is the Impact of CVE-2023-1428?
Successful exploitation may allow attackers to cause the gRPC application to crash, leading to a denial of service and disrupting the availability of services relying on gRPC communication.
What is the Exploitability of CVE-2023-1428?
Exploitation of this vulnerability involves sending specially crafted HTTP/2 headers. The complexity is moderate, as it requires knowledge of specific header values and the ability to construct a sequence of headers that exceed an 8KB total size. No authentication or specific privileges are required, indicating it's a remote attack vector. The primary constraint is the requirement for the gRPC C++ implementation to be in use. The risk is heightened in internet-facing gRPC services where attackers can easily send malicious requests without prior authorization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-1428?
Available Upgrade Options
- io.grpc:grpc-protobuf
- <1.53.0 → Upgrade to 1.53.0
- grpc
- <1.53.0 → Upgrade to 1.53.0
- grpcio
- <1.53.0 → Upgrade to 1.53.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2023-1428
- https://github.com/grpc/grpc/issues/33463
- https://github.com/grpc/grpc/commit/2485fa94bd8a723e5c977d55a3ce10b301b437f8
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/grpc/CVE-2023-1428.yml
- https://osv.dev/vulnerability/GHSA-6628-q6j9-w8vg
- https://github.com/grpc/grpc/commit/2485fa94bd8a723e5c977d55a3ce10b301b437f8
What are Similar Vulnerabilities to CVE-2023-1428?
Similar Vulnerabilities: CVE-2022-2978 , CVE-2021-39148 , CVE-2021-33190 , CVE-2020-8912 , CVE-2019-15553
