CVE-2024-7246: 
gRPC vulnerability analysis and mitigation

CVE-2024-7246 is a vulnerability in gRPC that affects clients communicating with HTTP/2 proxies. The vulnerability was discovered and disclosed in August 2024. The issue affects gRPC implementations prior to versions 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, and 1.65.4 (NVD).

The vulnerability occurs when a gRPC client communicates with an HTTP/2 proxy, where the error status for a misencoded header is not cleared between header reads. This results in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table. The vulnerability has been assigned a CVSS v4.0 Base Score of 6.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L (NVD).

The vulnerability can lead to two main impacts: 1) It allows the poisoning of the HPACK table between the proxy and backend, causing other clients to see failed requests, and 2) It enables the leaking of other clients' HTTP header keys (but not values) (NVD).

The recommended mitigation is to update to a fixed version of gRPC. The vulnerability has been patched in versions 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, and 1.65.4. Users are advised to update to these or later versions as soon as possible (NVD).