CVE-2024-7246 is a medium-severity vulnerability affecting gRPC, published on August 6, 2024. This vulnerability allows for HPACK table poisoning in scenarios where a gRPC client communicates with an HTTP/2 proxy. Attackers may leverage this vulnerability to cause other clients to see failed requests and potentially leak HTTP header keys, though not the values themselves. The root cause is due to the error status for misencoded headers not being cleared between header reads, which leads to the poisoning of subsequent headers.
The vulnerability has a CVSS score of 6.3, indicating a medium severity level. The attack vector is over the network with a high complexity, meaning that attackers must possess a certain level of skill to exploit it successfully. Organizations using affected versions of gRPC are at risk and should prioritize addressing this vulnerability.
As of now, there are no known public exploits, and the vulnerability is not included in the Known Exploited Vulnerabilities (KEV) database. However, organizations should remain vigilant and ensure that they are running the latest patched versions of gRPC to mitigate potential risks.
The urgency for defenders is high; organizations should address this vulnerability promptly to prevent any potential exploitation. The fixed versions include 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, and 1.65.4.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)