CVE-2020-11080

LOWMonitor

Published:Jun 3, 2020(6 years ago)

Modified:Nov 21, 2024

Remote ExploitNo Auth RequiredNo Interaction

Vulnerability Description

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.

Attack Characteristics

Network AccessHigh ComplexityNo Auth NeededNo User Interaction

🤖

AI analysis not yet available

Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.

No Fix Known

No patch has been released yet. Apply workarounds or mitigations where available.

Affected Software

Vendor	Product	Versions	Fixed In
nghttp2	nghttp2	1.41.0	-
debian	debian_linux	-	-
debian	debian_linux	-

Timeline

Published
CVE disclosed publicly
Jun 3, 20206 years ago
Last Modified
Most recent update
Nov 21, 20241 year ago
Indexed to CVEInsight
Added to this platform
Mar 29, 20262 months ago

References

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024....Mailing List
https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18...Patch
https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02...Patch

CVSS Score

v3.1

3.7/ 10.0

LOW

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

At a Glance

Affected Products

References

nghttp2 / nghttp2

https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-...Patch

https://lists.debian.org/debian-lts-announce/2021/10/msg00011.htmlMailing List

https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists...

https://www.debian.org/security/2020/dsa-4696Third Party Advisory

https://www.oracle.com//security-alerts/cpujul2021.htmlNot Applicable

https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch

https://www.oracle.com/security-alerts/cpujan2021.htmlThird Party Advisory

https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory

https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024....Mailing List

https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18...Patch

https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02...Patch

https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-...Patch

https://lists.debian.org/debian-lts-announce/2021/10/msg00011.htmlMailing List

https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists...

https://www.debian.org/security/2020/dsa-4696Third Party Advisory

https://www.oracle.com//security-alerts/cpujul2021.htmlNot Applicable

https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch

https://www.oracle.com/security-alerts/cpujan2021.htmlThird Party Advisory

https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory

https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory

CVSS v3 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Exploitability

Attack VectorNetwork

Attack ComplexityHigh

Privileges RequiredNone

User InteractionNone

Impact

ScopeUnchanged

ConfidentialityNone

IntegrityNone

AvailabilityLow

Impact Analysis

ConfidentialityNone

NoneLowHigh

IntegrityNone

NoneLowHigh

AvailabilityLow

NoneLowHigh

CVE-2020-11080

✦ Vulnerability Description

Attack Characteristics

Affected Software

Timeline

References

CVSS Score

At a Glance

Official Sources

CVSS v3 Vector

Impact Analysis

Vulnerability Description