CVE-2023-4785
HIGHgRPC 1.23.0-1.53.1 - Denial of Service via TCP Connection Flood
Title source: llmDescription
Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
References (5)
Core 5
Core References
Issue Tracking, Patch
https://github.com/grpc/grpc/pull/33656
Issue Tracking
https://github.com/grpc/grpc/pull/33667
Issue Tracking
https://github.com/grpc/grpc/pull/33669
Issue Tracking
https://github.com/grpc/grpc/pull/33670
Issue Tracking
https://github.com/grpc/grpc/pull/33672
Scores
CVSS v3
7.5
EPSS
0.0067
EPSS Percentile
46.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-248
Status
published
Products (4)
grpc/grpc
1.56.0
grpc/grpc
1.23.0 - 1.53.2
pypi/grpcio
1.55.0 - 1.55.3PyPI
rubygems/grpc
1.56.0 - 1.56.2RubyGems
Published
Sep 13, 2023
Tracked Since
Feb 18, 2026