GHSA-2JX2-QCM4-RF9H - Vulnerability-Lookup

GHSA-2JX2-QCM4-RF9H

Vulnerability from github – Published: 2023-06-09 19:32 – Updated: 2023-06-09 19:32

Summary

Incomplete Internal State Distinction in GRPCWebToHTTP2ServerCodec

Details

Impact

Affected gRPC Swift servers are vulnerable to precondition failures when parsing certain gRPC Web requests. This may lead to a denial of service.

Patches

The problem has been fixed in 1.2.0.

Workarounds

No workaround is available. Users must upgrade.

Show details on source website

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "SwiftURL",
        "name": "github.com/grpc/grpc-swift"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-36153"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-09T19:32:18Z",
    "nvd_published_at": "2021-07-09T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nAffected gRPC Swift servers are vulnerable to precondition failures when parsing certain gRPC Web requests. This may lead to a denial of service.\n\n### Patches\n\nThe problem has been fixed in 1.2.0.\n\n### Workarounds\n\nNo workaround is available. Users must upgrade.",
  "id": "GHSA-2jx2-qcm4-rf9h",
  "modified": "2023-06-09T19:32:18Z",
  "published": "2023-06-09T19:32:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-swift/security/advisories/GHSA-2jx2-qcm4-rf9h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36153"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35267"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/grpc/grpc-swift"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-swift/releases"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Incomplete Internal State Distinction in GRPCWebToHTTP2ServerCodec"
}

CVE-2021-36153 (GCVE-0-2021-36153)

Vulnerability from cvelistv5 – Published: 2021-07-09 11:15 – Updated: 2024-08-04 00:47

Summary

Mismanaged state in GRPCWebToHTTP2ServerCodec.swift in gRPC Swift 1.1.0 and 1.1.1 allows remote attackers to deny service by sending malformed requests.

Severity ?

No CVSS data available.

CWE

n/a

Assigner

mitre

References

URL

Tags

	https://bugs.chromium.org/p/oss-fuzz/issues/detai…	x_refsource_MISC
	https://github.com/grpc/grpc-swift/releases	x_refsource_MISC
	https://github.com/grpc/grpc-swift/security/advis…	x_refsource_MISC

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T00:47:43.843Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35267"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/grpc/grpc-swift/releases"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/grpc/grpc-swift/security/advisories/GHSA-2jx2-qcm4-rf9h"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Mismanaged state in GRPCWebToHTTP2ServerCodec.swift in gRPC Swift 1.1.0 and 1.1.1 allows remote attackers to deny service by sending malformed requests."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-09T11:15:22",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35267"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/grpc/grpc-swift/releases"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/grpc/grpc-swift/security/advisories/GHSA-2jx2-qcm4-rf9h"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-36153",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Mismanaged state in GRPCWebToHTTP2ServerCodec.swift in gRPC Swift 1.1.0 and 1.1.1 allows remote attackers to deny service by sending malformed requests."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35267",
              "refsource": "MISC",
              "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35267"
            },
            {
              "name": "https://github.com/grpc/grpc-swift/releases",
              "refsource": "MISC",
              "url": "https://github.com/grpc/grpc-swift/releases"
            },
            {
              "name": "https://github.com/grpc/grpc-swift/security/advisories/GHSA-2jx2-qcm4-rf9h",
              "refsource": "MISC",
              "url": "https://github.com/grpc/grpc-swift/security/advisories/GHSA-2jx2-qcm4-rf9h"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-36153",
    "datePublished": "2021-07-09T11:15:22",
    "dateReserved": "2021-07-05T00:00:00",
    "dateUpdated": "2024-08-04T00:47:43.843Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.