Miggo Logo
Miggo Vulnerability Database
CVE-2024-7246

CVE-2024-7246: It's possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table...

6.3

CVSS Score
4.0

Basic Information

CVE ID
CVE-2024-7246
GHSA ID
GHSA-ghwg-gpp4-w4x3
EPSS Score
0.17378%
CWE
CWE-440
Published
8/6/2024
Updated
8/6/2024
KEV Status
No
Technology
-

Technical Details

CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is caused by the error status of a misencoded header not being cleared, leading to subsequent headers being poisoned. The patch addresses this by introducing a separate field_error status that is cleared at the beginning of parsing each new header in HPackParser::Parser::ParseTop via the new HPackParser::Input::ClearFieldError function. Modifications in HPackParser::Parser::ParseHPackString and the constructors/error setting functions within HPackParser::Input support this new fine-grained error handling. The functions listed were directly involved in the vulnerable logic of parsing headers and handling their errors.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

It's possi*l* *or * *RP* *li*nt *ommuni**tin* wit* * *TTP/* proxy to poison t** *P**K t**l* **tw**n t** proxy *n* t** ***k*n* su** t**t ot**r *li*nts s** **il** r*qu*sts. It's *lso possi*l* to us* t*is vuln*r**ility to l**k ot**r *li*nts *TTP *****r

Reasoning

T** vuln*r**ility is **us** *y t** *rror st*tus o* * mis*n*o*** *****r not **in* *l**r**, l***in* to su*s*qu*nt *****rs **in* poison**. T** p*t** ***r*ss*s t*is *y intro*u*in* * s*p*r*t* `*i*l*_*rror` st*tus t**t is *l**r** *t t** ***innin* o* p*rsin