GHSA-xr7q-jx4m-x55m
Exposure of Sensitive Data vulnerability in grpc (Go)
What is GHSA-xr7q-jx4m-x55m About?
This vulnerability concerns gRPC metadata logging, where sensitive information, including Personally Identifiable Information (PII), can be inadvertently logged if applications print or log the context containing this metadata. This leads to unauthorized exposure of private data. Exploitation requires access to logs or output.
Affected Software
Technical Details
The vulnerability arises when gRPC applications log or print the entire context object, which can contain gRPC metadata. This metadata, intended for communication between gRPC client and server, can include various pieces of information, some of which may be sensitive or constitute PII (e.g., authorization tokens, user IDs, request-specific headers). If an application's logging mechanism is configured to output the full context without sanitization or redaction, then any sensitive data present in the gRPC metadata will be written to logs or printed outputs. An attacker with access to these logs or console outputs can then harvest this sensitive information, leading to PII breaches or compromise of credentials/tokens.
What is the Impact of GHSA-xr7q-jx4m-x55m?
Successful exploitation may allow attackers to gain unauthorized access to sensitive PII and other private information contained within gRPC metadata, leading to data breaches or credential compromise.
What is the Exploitability of GHSA-xr7q-jx4m-x55m?
Exploitation complexity is generally low, as it primarily relies on an attacker gaining access to log files or application output streams. There are no direct prerequisites in terms of interacting with the gRPC service itself; the vulnerability lies in the logging practice. No authentication is typically required if logs are unauthenticated or if an attacker has already bypassed system authentication. Privilege requirements depend on the access control implemented for log files. Access can be local if logs are stored on the same machine, or remote if logs are collected by a centralized logging system. The special condition is that the application must be logging the full gRPC context without redaction. Risk factors increasing exploitation likelihood include weak log access controls, verbose logging configurations, and insufficient data sanitization practices.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for GHSA-xr7q-jx4m-x55m?
Available Upgrade Options
- google.golang.org/grpc
- >1.64.0, <1.64.1 → Upgrade to 1.64.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/grpc/grpc-go/commit/ab292411ddc0f3b7a7786754d1fe05264c3021eb
- https://github.com/grpc/grpc-go/commit/ab292411ddc0f3b7a7786754d1fe05264c3021eb
- https://github.com/grpc/grpc-go/security/advisories/GHSA-xr7q-jx4m-x55m
- https://osv.dev/vulnerability/GHSA-xr7q-jx4m-x55m
- https://github.com/grpc/grpc-go/security/advisories/GHSA-xr7q-jx4m-x55m
- https://github.com/grpc/grpc-go
What are Similar Vulnerabilities to GHSA-xr7q-jx4m-x55m?
Similar Vulnerabilities: CVE-2024-45784 , CVE-2023-42781 , CVE-2023-50943 , CVE-2020-13936 , CVE-2022-23530
