1. Home
  2. Vulnerabilities
  3. CVE-2020-11080

CVE-2020-11080

CVSS v3.1 7.5 (High)
75% Progress
CVSS v2.0 5 (Medium)
50% Progress
EPSS 1.24 % (86th)
1.24% Progress
Affected Products 10
Advisories 33
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.

Weaknesses
CWE-400
Uncontrolled Resource Consumption
CWE-707
Improper Neutralization
CVE Status
PUBLISHED
CNA
GitHub, Inc.
Published Date
2020-06-03 23:15:11
(4 years ago)
Updated Date
2023-11-07 03:14:29
(10 months ago)

Affected Products

Debian

Fedoraproject

Nghttp2

Nodejs

Opensuse

Oracle

Configuration #1

    CPE23 From Up To
  Nghttp2 prior 1.41.0 version cpe:2.3:a:nghttp2:nghttp2 < 1.41.0

Configuration #2

    CPE23 From Up To
  Debian Linux 9.0 cpe:2.3:o:debian:debian_linux:9.0
  Debian Linux 10.0 cpe:2.3:o:debian:debian_linux:10.0

Configuration #3

    CPE23 From Up To
  Opensuse Leap 15.1 cpe:2.3:o:opensuse:leap:15.1

Configuration #4

    CPE23 From Up To
  Fedoraproject Fedora 31 cpe:2.3:o:fedoraproject:fedora:31
  Fedoraproject Fedora 33 cpe:2.3:o:fedoraproject:fedora:33

Configuration #5

    CPE23 From Up To
  Oracle Banking Extensibility Workbench 14.3.0 cpe:2.3:a:oracle:banking_extensibility_workbench:14.3.0
  Oracle Banking Extensibility Workbench 14.4.0 cpe:2.3:a:oracle:banking_extensibility_workbench:14.4.0
  Oracle Blockchain Platform prior 21.1.2 version cpe:2.3:a:oracle:blockchain_platform < 21.1.2
  Oracle Enterprise Communications Broker 3.1.0 cpe:2.3:a:oracle:enterprise_communications_broker:3.1.0
  Oracle Enterprise Communications Broker 3.2.0 cpe:2.3:a:oracle:enterprise_communications_broker:3.2.0
  Oracle Graalvm 19.3.2 cpe:2.3:a:oracle:graalvm:19.3.2:*:*:*:enterprise
  Oracle Graalvm 20.1.0 cpe:2.3:a:oracle:graalvm:20.1.0:*:*:*:enterprise
  Oracle Mysql from 7.3.0 version and 7.3.30 and prior versions cpe:2.3:a:oracle:mysql >= 7.3.0 <= 7.3.30
  Oracle Mysql from 7.4.0 version and 7.4.29 and prior versions cpe:2.3:a:oracle:mysql >= 7.4.0 <= 7.4.29
  Oracle Mysql from 7.5.0 version and 7.5.19 and prior versions cpe:2.3:a:oracle:mysql >= 7.5.0 <= 7.5.19
  Oracle Mysql from 7.6.0 version and 7.6.15 and prior versions cpe:2.3:a:oracle:mysql >= 7.6.0 <= 7.6.15
  Oracle Mysql from 8.0.0 version and 8.0.21 and prior versions cpe:2.3:a:oracle:mysql >= 8.0.0 <= 8.0.21

Configuration #6

    CPE23 From Up To
  Nodejs Node.js from 10.0.0 version and 10.12.0 and prior versions cpe:2.3:a:nodejs:node.js::*:*:*:- >= 10.0.0 <= 10.12.0
  Nodejs Node.js from 10.13.0 version and prior 10.21.0 version cpe:2.3:a:nodejs:node.js::*:*:*:lts >= 10.13.0 < 10.21.0
  Nodejs Node.js from 12.0.0 version and 12.12.0 and prior versions cpe:2.3:a:nodejs:node.js::*:*:*:- >= 12.0.0 <= 12.12.0
  Nodejs Node.js from 12.13.0 version and prior 12.18.0 version cpe:2.3:a:nodejs:node.js::*:*:*:lts >= 12.13.0 < 12.18.0
  Nodejs Node.js from 14.0.0 version and 14.4.0 and prior versions cpe:2.3:a:nodejs:node.js::*:*:*:- >= 14.0.0 <= 14.4.0