CVE-2023-32732: 
Java vulnerability analysis and mitigation

gRPC contains a vulnerability (CVE-2023-32732) whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server. Specifically, a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. The vulnerability was discovered and fixed in February 2023, affecting gRPC versions prior to 1.53.0 (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. The technical issue involves the handling of base64 encoding errors in -bin suffixed headers between HTTP2 proxies and gRPC servers, where the error handling mechanism was incorrectly implemented to drop the entire connection instead of just canceling the affected stream (GitHub PR).

The vulnerability can lead to a denial of service condition where the connection between an HTTP2 proxy and a gRPC server can be terminated. This affects the availability of the service, though there are no direct impacts on confidentiality or integrity (NVD).

The vulnerability has been fixed in gRPC version 1.53.0 and later. Users are recommended to upgrade to a patched version. For those unable to upgrade immediately, the fix involves changing the error handling behavior to only cancel the affected stream rather than dropping the entire connection (GitHub PR, Fedora Update).