{
  "threat_severity" : "Moderate",
  "public_date" : "2024-06-10T00:00:00Z",
  "bugzilla" : {
    "description" : "grps-js: allocate memory for incoming messages well above configured limits",
    "id" : "2292036",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2292036"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
    "status" : "draft"
  },
  "cwe" : "CWE-789",
  "details" : [ "@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to versions 1.10.9, 1.9.15, and 1.8.22, there are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` channel option: If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded; and/or if an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded. This has been patched in versions 1.10.9, 1.9.15, and 1.8.22.", "A flaw was found in grps-js, which implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to versions 1.10.9, 1.9.15, and 1.8.22, there are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` channel option. If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded. If an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded. This issue has been patched in versions 1.10.9, 1.9.15, and 1.8.22." ],
  "package_state" : [ {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Will not fix",
    "package_name" : "openresty",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat Developer Hub",
    "fix_state" : "Not affected",
    "package_name" : "rhdh-operator-container",
    "cpe" : "cpe:/a:redhat:rhdh:1"
  }, {
    "product_name" : "Red Hat Developer Hub",
    "fix_state" : "Will not fix",
    "package_name" : "rhdh/rhdh-hub-rhel9",
    "cpe" : "cpe:/a:redhat:rhdh:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-37168\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-37168\nhttps://github.com/grpc/grpc-node/security/advisories/GHSA-7v5v-9h63-cj86" ],
  "name" : "CVE-2024-37168",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}