CVE-2020-11080

LOW

nghttp2 < 1.41.0 - Denial of Service via Large HTTP/2 SETTINGS Frame Payload

Title source: llm
STIX 2.1

Description

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.

References (14)

Core 14
Core References
Third Party Advisory vendor-advisory
https://www.debian.org/security/2020/dsa-4696
Mailing List, Third Party Advisory vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2021/10/msg00011.html
Not Applicable, Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html

Scores

CVSS v3 3.7
EPSS 0.0536
EPSS Percentile 91.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-400 CWE-707
Status published
Products (16)
debian/debian_linux 9.0
debian/debian_linux 10.0
fedoraproject/fedora 31
fedoraproject/fedora 33
nghttp2/nghttp2 < 1.41.0
nodejs/node.js 10.0.0 - 10.12.0
nodejs/node.js 10.13.0 - 10.21.0
opensuse/leap 15.1
oracle/banking_extensibility_workbench 14.3.0
oracle/banking_extensibility_workbench 14.4.0
... and 6 more
Published Jun 03, 2020
Tracked Since Feb 18, 2026