CVE-2020-11080

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.

Published: Jun 4, 2020
Updated: Apr 13, 2023
CVE: CVE-2020-11080
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-707

Affected Software
References

Software	From	Fixed in
nghttp2 / nghttp2	-	1.41.0
debian / debian_linux	9.0	9.0.x
debian / debian_linux	10.0	10.0.x
opensuse / leap	15.1	15.1.x
fedoraproject / fedora	31	31.x
fedoraproject / fedora	33	33.x
oracle / enterprise_communications_broker	3.1.0	3.1.0.x
oracle / graalvm	19.3.2	19.3.2.x
oracle / graalvm	20.1.0	20.1.0.x
oracle / mysql	8.0.0	8.0.21.x
oracle / enterprise_communications_broker	3.2.0	3.2.0.x
oracle / mysql	7.6.0	7.6.15.x
oracle / mysql	7.5.0	7.5.19.x
oracle / mysql	7.4.0	7.4.29.x
oracle / mysql	7.3.0	7.3.30.x
oracle / banking_extensibility_workbench	14.4.0	14.4.0.x
oracle / banking_extensibility_workbench	14.3.0	14.3.0.x
oracle / blockchain_platform	-	21.1.2
nodejs / node.js	10.0.0	10.12.0.x
nodejs / node.js	10.13.0	10.21.0
nodejs / node.js	12.0.0	12.12.0.x
nodejs / node.js	14.0.0	14.4.0.x
nodejs / node.js	12.13.0	12.18.0

Vulnerability Database

289,571

CVE-2020-11080