7.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-87m9-rv8p-rgmg

EPSS Score

CWE

CWE-400

Published

6/10/2024

Updated

6/17/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-87m9-rv8p-rgmg

GHSA-87m9-rv8p-rgmg: go-grpc-compression has a zstd decompression bombing vulnerability

Impact

A malicious user could cause a denial of service (DoS) when using a specially crafted gRPC request. The decompression mechanism for zstd did not respect the limits imposed by gRPC, allowing rapid memory usage increases.

Versions v1.1.4 through to v1.2.2 made use of the Decoder.DecodeAll function in github.com/klauspost/compress/zstd to decompress data provided by the peer. The vulnerability is exploitable only by attackers who can send gRPC payloads to users of github.com/mostynb/go-grpc-compression/zstd or github.com/mostynb/go-grpc-compression/nonclobbering/zstd.

Patches

Version v1.2.3 of github.com/mostynb/go-grpc-compression avoids the issue by not using the Decoder.DecodeAll function in github.com/klauspost/compress/zstd.

All users of github.com/mostynb/go-grpc-compression/zstd or github.com/mostynb/go-grpc-compression/nonclobbering/zstd in the affected versions should update to v1.2.3.

Workarounds

Other compression formats were not affected, users may consider switching from zstd to another format without upgrading to a newer release.

References

This issue was uncovered during a security audit performed by Miroslav Stampar of 7ASecurity, facilitated by OSTIF, for the OpenTelemetry project.

https://opentelemetry.io/blog/2024/cve-2024-36129 https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-87m9-rv8p-rgmg

EPSS Score

CWE

CWE-400

Published

6/10/2024

Updated

6/17/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/mostynb/go-grpc-compression	go	>= 1.1.4, < 1.2.3	1.2.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly mentions that the Decoder.DecodeAll function from github.com/klauspost/compress/zstd was the source of the vulnerability. The provided commit patch shows that the Decompress method within the compressor struct in internal/zstd/zstd.go was modified to remove the usage of c.decoder.DecodeAll. This directly addresses the vulnerability. The function compressor.Decompress was responsible for calling the vulnerable DecodeAll function, making it the key function involved in the vulnerability. The confidence is high because the patch directly modifies this function to remove the vulnerable call, and the commit message and vulnerability description corroborate this finding. The function signature compressor.Decompress is precise as it would appear in a Go profiler, including the receiver type.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * m*li*ious us*r *oul* **us* * **ni*l o* s*rvi** (*oS) w**n usin* * sp**i*lly *r**t** *RP* r*qu*st. T** ***ompr*ssion m****nism *or zst* *i* not r*sp**t t** limits impos** *y *RP*, *llowin* r*pi* m*mory us*** in*r**s*s. V*rsions v*.*.* t

Reasoning

T** vuln*r**ility **s*ription *xpli*itly m*ntions t**t t** `***o**r.***o***ll` *un*tion *rom `*it*u*.*om/kl*uspost/*ompr*ss/zst*` w*s t** sour** o* t** vuln*r**ility. T** provi*** *ommit p*t** s*ows t**t t** `***ompr*ss` m*t*o* wit*in t** `*ompr*ssor

7.5

Basic Information

Concerned about an active attack path?

GHSA-87m9-rv8p-rgmg: go-grpc-compression has a zstd decompression bombing vulnerability

Impact

Patches

Workarounds

References

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI