Miggo Logo

CVE-2021-36153: Incomplete Internal State Distinction in GRPCWebToHTTP2ServerCodec

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.79293%
CWE
-
Published
6/9/2023
Updated
6/19/2023
KEV Status
No
Technology
TechnologySwift

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/grpc/grpc-swiftswift< 1.2.01.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability title and CWE-372 (Incomplete Internal State Distinction) directly implicate state management in GRPCWebToHTTP2ServerCodec. The codec's role in parsing gRPC Web requests makes its decode method the most likely candidate for improper state transitions. NVD's description of 'mismanaged state' and the precondition failure impact pattern further support this conclusion. While exact commit details are unavailable, the codec's core responsibility for request parsing and the vulnerability's nature strongly point to the decode() function as the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *****t** *RP* Swi*t s*rv*rs *r* vuln*r**l* to pr**on*ition **ilur*s w**n p*rsin* **rt*in *RP* W** r*qu*sts. T*is m*y l*** to * **ni*l o* s*rvi**. ### P*t***s T** pro*l*m **s ***n *ix** in *.*.*. ### Work*roun*s No work*roun* is *v*il*

Reasoning

T** vuln*r**ility titl* *n* *W*-*** (In*ompl*t* Int*rn*l St*t* *istin*tion) *ir**tly impli**t* st*t* m*n***m*nt in `*RP*W**To*TTP*S*rv*r*o***`. T** *o***'s rol* in p*rsin* *RP* W** r*qu*sts m*k*s its `***o**` m*t*o* t** most lik*ly **n*i**t* *or impr