{"url":"http://public2.vulnerablecode.io/api/packages/373080?format=json","purl":"pkg:golang/github.com/mostynb/go-grpc-compression@1.2.3","type":"golang","namespace":"github.com/mostynb","name":"go-grpc-compression","version":"1.2.3","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359739?format=json","vulnerability_id":"VCID-f7rg-ffkd-wkct","summary":"go-grpc-compression has a zstd decompression bombing vulnerability\n### Impact\n\nA malicious user could cause a denial of service (DoS) when using a specially crafted gRPC request. The decompression mechanism for zstd did not respect the limits imposed by gRPC, allowing rapid memory usage increases.\n\nVersions v1.1.4 through to v1.2.2 made use of the Decoder.DecodeAll function in github.com/klauspost/compress/zstd to decompress data provided by the peer. The vulnerability is exploitable only by attackers who can send gRPC payloads to users of github.com/mostynb/go-grpc-compression/zstd or github.com/mostynb/go-grpc-compression/nonclobbering/zstd.\n\n### Patches\n\nVersion v1.2.3  of github.com/mostynb/go-grpc-compression avoids the issue by not using the Decoder.DecodeAll function in github.com/klauspost/compress/zstd.\n\nAll users of github.com/mostynb/go-grpc-compression/zstd or github.com/mostynb/go-grpc-compression/nonclobbering/zstd in the affected versions should update to v1.2.3.\n\n### Workarounds\n\nOther compression formats were not affected, users may consider switching from zstd to another format without upgrading to a newer release.\n\n### References\n\nThis issue was uncovered during a security audit performed by [Miroslav Stampar](https://github.com/stamparm/) of [7ASecurity](https://7asecurity.com/), facilitated by [OSTIF](https://ostif.org/), for the OpenTelemetry project.\n\nhttps://opentelemetry.io/blog/2024/cve-2024-36129\nhttps://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v","references":[{"reference_url":"https://github.com/mostynb/go-grpc-compression","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mostynb/go-grpc-compression"},{"reference_url":"https://github.com/mostynb/go-grpc-compression/commit/629c44d3acb9624993cc7de629f47d72109e2ce5","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mostynb/go-grpc-compression/commit/629c44d3acb9624993cc7de629f47d72109e2ce5"},{"reference_url":"https://github.com/mostynb/go-grpc-compression/security/advisories/GHSA-87m9-rv8p-rgmg","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mostynb/go-grpc-compression/security/advisories/GHSA-87m9-rv8p-rgmg"},{"reference_url":"https://pkg.go.dev/vuln/GO-2024-2911","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pkg.go.dev/vuln/GO-2024-2911"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373080?format=json","purl":"pkg:golang/github.com/mostynb/go-grpc-compression@1.2.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mostynb/go-grpc-compression@1.2.3"}],"aliases":["GHSA-87m9-rv8p-rgmg"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f7rg-ffkd-wkct"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mostynb/go-grpc-compression@1.2.3"}