Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| grpc(RubyGems) | 1.56.0 | 1.56.2 | N/A |
| grpc(RubyGems) | 1.55.0 | 1.55.3 | N/A |
| grpc(RubyGems) | 1.54.0 | 1.54.3 | N/A |
| grpc(RubyGems) | 1.53.0 | 1.53.2 | N/A |
| grpcio(PyPI) | 1.55.0 | 1.55.3 | N/A |
| grpcio(PyPI) | 1.54.0 | 1.54.3 | N/A |
| grpcio(PyPI) | 1.53.0 | 1.53.2 | N/A |
CVSS Metrics
