CVE-2023-4785: Backport #33656 to 1.46.x to fix gRPC Core #36474
Description
What version of gRPC and what language are you using?
C# gRPC Core 2.46.6
What operating system (Linux, Windows,...) and version?
Windows 11
What runtime / compiler are you using (e.g. python version or version of gcc)
VS2022 dotnet compiler (.NET 8)
What did you do?
Black Duck reports a vulnerability in Grpc.Core 2.46.6 (BDSA-2023-2427) (CVE-2023-4785)
Anything else we should know about your project / environment?
This CVE has already been fixed in C++ with #33656 but has not been backported to 1.46.x, which is the branch for the still-in-maintenance gRPC.Core.
Annoying part for me is that we aren't even direct users of gRPC, but are only affected by the scan picking up on a transitive dependency from the IronPdf nuget package (commercial). If this is fixed in gRPC.Core, I will still have to get them to upgrade. I will get in touch with that vendor to see whether the dependency on gRPC.Core can be dropped since they are already using grpc-dotnet which supersedes it, but I don't know if it will be possible given their support of a wide variety of Windows and .NET versions.