7.5

CVE-2020-11080

Denial of service in nghttp2

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Nghttp2Nghttp2 Version < 1.41.0
DebianDebian Linux Version9.0
DebianDebian Linux Version10.0
OpensuseLeap Version15.1
FedoraprojectFedora Version31
FedoraprojectFedora Version33
OracleBlockchain Platform Version < 21.1.2
OracleGraalvm Version19.3.2 SwEditionenterprise
OracleGraalvm Version20.1.0 SwEditionenterprise
OracleMysql Version >= 7.3.0 <= 7.3.30
OracleMysql Version >= 7.4.0 <= 7.4.29
OracleMysql Version >= 7.5.0 <= 7.5.19
OracleMysql Version >= 7.6.0 <= 7.6.15
OracleMysql Version >= 8.0.0 <= 8.0.21
NodejsNode.Js SwEdition- Version >= 10.0.0 <= 10.12.0
NodejsNode.Js SwEditionlts Version >= 10.13.0 < 10.21.0
NodejsNode.Js SwEdition- Version >= 12.0.0 <= 12.12.0
NodejsNode.Js SwEditionlts Version >= 12.13.0 < 12.18.0
NodejsNode.Js SwEdition- Version >= 14.0.0 <= 14.4.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 5.32% 0.915
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:N/A:P
security-advisories@github.com 3.7 2.2 1.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.

CWE-707 Improper Neutralization

The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

https://www.oracle.com/security-alerts/cpujan2021.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch
Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html
Third Party Advisory
Not Applicable
https://www.oracle.com/security-alerts/cpujul2020.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/10/msg00011.html
Third Party Advisory
Mailing List
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html
Third Party Advisory
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/
https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090
Patch
Third Party Advisory
https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394
Patch
Third Party Advisory
https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr
Patch
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AAC2AA36OTRHKSVM5OV7TTVB3CZIGEFL/
https://www.debian.org/security/2020/dsa-4696
Third Party Advisory