CVE-2022-24777

EPSS 0.33%
Published 25.03.2022 17:15:08
Last modified 21.11.2024 06:51:04
Source security-advisories@github.com
Teams watchlist Login
Open Login

grpc-swift is the Swift language implementation of gRPC, a remote procedure call (RPC) framework. Prior to version 1.7.2, a grpc-swift server is vulnerable to a denial of service attack via a reachable assertion. This is due to incorrect logic when handling GOAWAY frames. The attack is low-effort: it takes very little resources to construct and send the required sequence of frames. The impact on availability is high as the server will crash, dropping all in flight connections and requests. This issue is fixed in version 1.7.2. There are currently no known workarounds.

Affected products Warnungen 0 Metrics 4 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Linuxfoundation ≫ Grpc Swift Version < 1.7.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.33%	0.557

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-617 Reachable Assertion

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

https://github.com/grpc/grpc-swift/commit/858f977f2a51fca2292f384cf7a108dc2e73a3bd

Patch

Third Party Advisory

https://github.com/grpc/grpc-swift/security/advisories/GHSA-r6ww-5963-7r95

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-24777

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-24777

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-24777

EUVD