CVE-2023-32731
Information Leak vulnerability in grpc-protobuf (Maven)
What is CVE-2023-32731 About?
A regression in the gRPC HTTP/2 stack causes HPACK table desynchronization when a header size exceeds its limit, leading to an information leak. This desynchronization can result in a proxy misinterpreting requests, potentially enabling privilege escalation or data exfiltration. Exploitation would require a specific sequence of events involving oversized headers and a misconfigured proxy, making it moderately complex.
Affected Software
- io.grpc:grpc-protobuf
- <1.53.0
- grpcio
- <1.53.0
- grpc
- <1.53.0
Technical Details
When a gRPC HTTP/2 stack encounters a header size exceeded error, it incorrectly skips parsing the remainder of the HPACK frame. This omission means that any HPACK table mutations within that skipped portion are not applied, leading to a desynchronization of the HPACK tables between the sender and receiver. If this occurs in a proxy architecture, such as between a mod_proxy_ajp-enabled proxy and a backend, the proxy's HPACK table becomes out of sync with the backend's. Consequently, subsequent requests sent by the proxy might have their headers interpreted incorrectly by the backend, potentially mapping them to headers from a different client's previous request. This misinterpretation creates an information leak where data intended for one client or context is processed as belonging to another.
What is the Impact of CVE-2023-32731?
Successful exploitation may allow attackers to gain unauthorized access to sensitive information or escalate privileges. This information leak could lead to data exfiltration, impersonation, or further compromise of the system.
What is the Exploitability of CVE-2023-32731?
Exploitation of this vulnerability is complex and requires specific conditions. It involves triggering an HTTP/2 header size exceeded error in gRPC, which then leads to HPACK table desynchronization. An attacker would need to craft requests with oversized headers to achieve this. No specific authentication is required to send the initial malicious request, but the presence of a vulnerable gRPC-enabled proxy in front of a backend service is a prerequisite. This is a remote exploitation scenario. The likelihood of exploitation is increased if the network architecture includes components (like certain AJP proxies) that are sensitive to such HPACK desynchronizations and can misattribute request headers, and if the attacker has the ability to send large, specially crafted HTTP/2 headers to the target.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-32731?
Available Upgrade Options
- io.grpc:grpc-protobuf
- <1.53.0 → Upgrade to 1.53.0
- grpc
- <1.53.0 → Upgrade to 1.53.0
- grpcio
- <1.53.0 → Upgrade to 1.53.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/grpc/grpc/pull/33005
- https://nvd.nist.gov/vuln/detail/CVE-2023-32731
- https://osv.dev/vulnerability/GHSA-cfgp-2977-2fmm
- https://github.com/grpc/grpc/issues/33463
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/grpc/CVE-2023-32731.yml
- https://github.com/grpc/grpc/pull/32309
- https://github.com/grpc/grpc/pull/32309
- https://github.com/grpc/grpc/pull/33005
What are Similar Vulnerabilities to CVE-2023-32731?
Similar Vulnerabilities: CVE-2022-41717 , CVE-2022-31030 , CVE-2021-39111 , CVE-2021-44716 , CVE-2021-3560
