CVE-2023-4785

CWE-2489 documents8 sources

Severity

7.5HIGH

EPSS

0.1%

top 82.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Grpc Grpc Google Grpc

Timeline

PublishedSep 13

Latest updateJan 15

Description

Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5google/grpc1.56.0 — 1.56.1+3

▶RubyGemsgrpc1.56.0 — 1.56.2+3

▶PyPIgrpcio1.55.0 — 1.55.3+2

▶NVDgrpc/grpc1.23.0 — 1.53.2+3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Denial of Service Vulnerability in gRPC TCP Server (Posix-compatible platforms)↗2023-09-13

▶

OSV

Denial of Service Vulnerability in gRPC TCP Server (Posix-compatible platforms)↗2023-09-13

▶

OSV

CVE-2023-4785: Lack of error handling in the TCP server in Google's gRPC starting version 1↗2023-09-13

▶

CVEList

Denial of Service in gRPC Core↗2023-09-13

▶

📋Vendor Advisories

Oracle

Oracle Oracle Analytics Risk Matrix: Analytics Server (gRPC) — CVE-2023-4785↗2025-01-15

▶

Red Hat

gRPC: file descriptor exhaustion leads to denial of service↗2023-09-14

▶

Microsoft

Denial of Service in gRPC Core↗2023-09-12

▶

Debian

CVE-2023-4785: grpc - Lack of error handling in the TCP server in Google's gRPC starting version 1.23 ...↗2023

▶