CVE-2020-11080

EPSS 0.74%
Published 03.06.2020 23:15:11
Last modified 21.11.2024 04:56:44
Source security-advisories@github.com
Teams watchlist Login
Open Login

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.

Affected products Warnungen 0 Metrics 4 CWE 2 References 17

Data is provided by the National Vulnerability Database (NVD)

Nghttp2 ≫ Nghttp2 Version < 1.41.0

Debian ≫ Debian Linux Version9.0

Debian ≫ Debian Linux Version10.0

Opensuse ≫ Leap Version15.1

Fedoraproject ≫ Fedora Version31

Fedoraproject ≫ Fedora Version33

Oracle ≫ Banking Extensibility Workbench Version14.3.0

Oracle ≫ Banking Extensibility Workbench Version14.4.0

Oracle ≫ Blockchain Platform Version < 21.1.2

Oracle ≫ Enterprise Communications Broker Version3.1.0

Oracle ≫ Enterprise Communications Broker Version3.2.0

Oracle ≫ Graalvm Version19.3.2 SwEditionenterprise

Oracle ≫ Graalvm Version20.1.0 SwEditionenterprise

Oracle ≫ Mysql Version >= 7.3.0 <= 7.3.30

Oracle ≫ Mysql Version >= 7.4.0 <= 7.4.29

Oracle ≫ Mysql Version >= 7.5.0 <= 7.5.19

Oracle ≫ Mysql Version >= 7.6.0 <= 7.6.15

Oracle ≫ Mysql Version >= 8.0.0 <= 8.0.21

Nodejs ≫ Node.Js SwEdition- Version >= 10.0.0 <= 10.12.0

Nodejs ≫ Node.Js SwEditionlts Version >= 10.13.0 < 10.21.0

Nodejs ≫ Node.Js SwEdition- Version >= 12.0.0 <= 12.12.0

Nodejs ≫ Node.Js SwEditionlts Version >= 12.13.0 < 12.18.0

Nodejs ≫ Node.Js SwEdition- Version >= 14.0.0 <= 14.4.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.74%	0.722

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P
security-advisories@github.com	3.7	2.2	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CWE-707 Improper Neutralization

The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

https://www.oracle.com/security-alerts/cpujan2021.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

https://www.oracle.com//security-alerts/cpujul2021.html

Third Party Advisory

Not Applicable

https://www.oracle.com/security-alerts/cpujul2020.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2020.html

Third Party Advisory