CVE-2023-1428

Name of the Vulnerable Software and Affected Versions gRPC versions prior to v1.53

Description The issue is related to the gRPC C++ implementation, where certain headers can cause an abort() to be called when sent via http2. The affected headers include te: x (where x is not trailers), :scheme: x (where x is not http or https), and grpclb client stats: x (where x can be any value). To trigger the issue, a later header must be sent that increases the total header size past 8KB.

Recommendations To resolve the issue, upgrade to gRPC version v1.53 or later. As a temporary workaround, consider restricting the use of the vulnerable headers (te, :scheme, and grpclb client stats) in the affected API endpoints until a patch is available. Avoid using these headers in combinations that could exceed the 8KB header size limit.