Vulnerability Details CVE-2020-11080
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.007
EPSS Ranking 70.5%
CVSS Severity
CVSS v3 Score 3.7
CVSS v2 Score 5.0
References
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html
- https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090
- https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394
- https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr
- https://lists.debian.org/debian-lts-announce/2021/10/msg00011.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AAC2AA36OTRHKSVM5OV7TTVB3CZIGEFL/
- https://www.debian.org/security/2020/dsa-4696
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html
- https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090
- https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394
- https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr
- https://lists.debian.org/debian-lts-announce/2021/10/msg00011.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AAC2AA36OTRHKSVM5OV7TTVB3CZIGEFL/
- https://www.debian.org/security/2020/dsa-4696
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
Products affected by CVE-2020-11080
-
cpe:2.3:a:nghttp2:nghttp2:0.1.0
-
cpe:2.3:a:nghttp2:nghttp2:0.2.0
-
cpe:2.3:a:nghttp2:nghttp2:0.3.0
-
cpe:2.3:a:nghttp2:nghttp2:0.3.1
-
cpe:2.3:a:nghttp2:nghttp2:0.3.2
-
cpe:2.3:a:nghttp2:nghttp2:0.4.0
-
cpe:2.3:a:nghttp2:nghttp2:0.4.1
-
cpe:2.3:a:nghttp2:nghttp2:0.5.0
-
cpe:2.3:a:nghttp2:nghttp2:0.5.1
-
cpe:2.3:a:nghttp2:nghttp2:0.6.0
-
cpe:2.3:a:nghttp2:nghttp2:0.6.1
-
cpe:2.3:a:nghttp2:nghttp2:0.6.2
-
cpe:2.3:a:nghttp2:nghttp2:0.6.3
-
cpe:2.3:a:nghttp2:nghttp2:0.6.4
-
cpe:2.3:a:nghttp2:nghttp2:0.6.5
-
cpe:2.3:a:nghttp2:nghttp2:0.6.6
-
cpe:2.3:a:nghttp2:nghttp2:0.6.7
-
cpe:2.3:a:nghttp2:nghttp2:0.7.0
-
cpe:2.3:a:nghttp2:nghttp2:0.7.1
-
cpe:2.3:a:nghttp2:nghttp2:0.7.10
-
cpe:2.3:a:nghttp2:nghttp2:0.7.11
-
cpe:2.3:a:nghttp2:nghttp2:0.7.12
-
cpe:2.3:a:nghttp2:nghttp2:0.7.13
-
cpe:2.3:a:nghttp2:nghttp2:0.7.14
-
cpe:2.3:a:nghttp2:nghttp2:0.7.15
-
cpe:2.3:a:nghttp2:nghttp2:0.7.2
-
cpe:2.3:a:nghttp2:nghttp2:0.7.3
-
cpe:2.3:a:nghttp2:nghttp2:0.7.4
-
cpe:2.3:a:nghttp2:nghttp2:0.7.5
-
cpe:2.3:a:nghttp2:nghttp2:0.7.6
-
cpe:2.3:a:nghttp2:nghttp2:0.7.7
-
cpe:2.3:a:nghttp2:nghttp2:0.7.8
-
cpe:2.3:a:nghttp2:nghttp2:0.7.9
-
cpe:2.3:a:nghttp2:nghttp2:1.0.0
-
cpe:2.3:a:nghttp2:nghttp2:1.0.1
-
cpe:2.3:a:nghttp2:nghttp2:1.0.2
-
cpe:2.3:a:nghttp2:nghttp2:1.0.3
-
cpe:2.3:a:nghttp2:nghttp2:1.0.4
-
cpe:2.3:a:nghttp2:nghttp2:1.0.5
-
cpe:2.3:a:nghttp2:nghttp2:1.1.0
-
cpe:2.3:a:nghttp2:nghttp2:1.1.1
-
cpe:2.3:a:nghttp2:nghttp2:1.1.2
-
cpe:2.3:a:nghttp2:nghttp2:1.10.0
-
cpe:2.3:a:nghttp2:nghttp2:1.11.0
-
cpe:2.3:a:nghttp2:nghttp2:1.11.1
-
cpe:2.3:a:nghttp2:nghttp2:1.12.0
-
cpe:2.3:a:nghttp2:nghttp2:1.13.0
-
cpe:2.3:a:nghttp2:nghttp2:1.14.0
-
cpe:2.3:a:nghttp2:nghttp2:1.14.1
-
cpe:2.3:a:nghttp2:nghttp2:1.15.0
-
cpe:2.3:a:nghttp2:nghttp2:1.16.0
-
cpe:2.3:a:nghttp2:nghttp2:1.16.1
-
cpe:2.3:a:nghttp2:nghttp2:1.17.0
-
cpe:2.3:a:nghttp2:nghttp2:1.18.0
-
cpe:2.3:a:nghttp2:nghttp2:1.18.1
-
cpe:2.3:a:nghttp2:nghttp2:1.19.0
-
cpe:2.3:a:nghttp2:nghttp2:1.2.0
-
cpe:2.3:a:nghttp2:nghttp2:1.2.1
-
cpe:2.3:a:nghttp2:nghttp2:1.20.0
-
cpe:2.3:a:nghttp2:nghttp2:1.21.0
-
cpe:2.3:a:nghttp2:nghttp2:1.21.1
-
cpe:2.3:a:nghttp2:nghttp2:1.22.0
-
cpe:2.3:a:nghttp2:nghttp2:1.23.0
-
cpe:2.3:a:nghttp2:nghttp2:1.23.1
-
cpe:2.3:a:nghttp2:nghttp2:1.24.0
-
cpe:2.3:a:nghttp2:nghttp2:1.25.0
-
cpe:2.3:a:nghttp2:nghttp2:1.26.0
-
cpe:2.3:a:nghttp2:nghttp2:1.27.0
-
cpe:2.3:a:nghttp2:nghttp2:1.28.0
-
cpe:2.3:a:nghttp2:nghttp2:1.29.0
-
cpe:2.3:a:nghttp2:nghttp2:1.3.0
-
cpe:2.3:a:nghttp2:nghttp2:1.3.1
-
cpe:2.3:a:nghttp2:nghttp2:1.3.2
-
cpe:2.3:a:nghttp2:nghttp2:1.3.3
-
cpe:2.3:a:nghttp2:nghttp2:1.3.4
-
cpe:2.3:a:nghttp2:nghttp2:1.30.0
-
cpe:2.3:a:nghttp2:nghttp2:1.31.0
-
cpe:2.3:a:nghttp2:nghttp2:1.31.1
-
cpe:2.3:a:nghttp2:nghttp2:1.32.0
-
cpe:2.3:a:nghttp2:nghttp2:1.32.1
-
cpe:2.3:a:nghttp2:nghttp2:1.33.0
-
cpe:2.3:a:nghttp2:nghttp2:1.34.0
-
cpe:2.3:a:nghttp2:nghttp2:1.35.0
-
cpe:2.3:a:nghttp2:nghttp2:1.35.1
-
cpe:2.3:a:nghttp2:nghttp2:1.36.0
-
cpe:2.3:a:nghttp2:nghttp2:1.37.0
-
cpe:2.3:a:nghttp2:nghttp2:1.38.0
-
cpe:2.3:a:nghttp2:nghttp2:1.39.0
-
cpe:2.3:a:nghttp2:nghttp2:1.39.1
-
cpe:2.3:a:nghttp2:nghttp2:1.39.2
-
cpe:2.3:a:nghttp2:nghttp2:1.4.0
-
cpe:2.3:a:nghttp2:nghttp2:1.40.0
-
cpe:2.3:a:nghttp2:nghttp2:1.5.0
-
cpe:2.3:a:nghttp2:nghttp2:1.6.0
-
cpe:2.3:a:nghttp2:nghttp2:1.7.0
-
cpe:2.3:a:nghttp2:nghttp2:1.7.1
-
cpe:2.3:a:nghttp2:nghttp2:1.8.0
-
cpe:2.3:a:nghttp2:nghttp2:1.9.0
-
cpe:2.3:a:nghttp2:nghttp2:1.9.1
-
cpe:2.3:a:nghttp2:nghttp2:1.9.2
-
cpe:2.3:a:nodejs:node.js:10.0.0
-
cpe:2.3:a:nodejs:node.js:10.1.0
-
cpe:2.3:a:nodejs:node.js:10.10.0
-
cpe:2.3:a:nodejs:node.js:10.11.0
-
cpe:2.3:a:nodejs:node.js:10.12.0
-
cpe:2.3:a:nodejs:node.js:10.13.0
-
cpe:2.3:a:nodejs:node.js:10.14.0
-
cpe:2.3:a:nodejs:node.js:10.14.1
-
cpe:2.3:a:nodejs:node.js:10.14.2
-
cpe:2.3:a:nodejs:node.js:10.15.0
-
cpe:2.3:a:nodejs:node.js:10.15.1
-
cpe:2.3:a:nodejs:node.js:10.15.2
-
cpe:2.3:a:nodejs:node.js:10.15.3
-
cpe:2.3:a:nodejs:node.js:10.16.0
-
cpe:2.3:a:nodejs:node.js:10.16.1
-
cpe:2.3:a:nodejs:node.js:10.16.2
-
cpe:2.3:a:nodejs:node.js:10.16.3
-
cpe:2.3:a:nodejs:node.js:10.17.0
-
cpe:2.3:a:nodejs:node.js:10.18.0
-
cpe:2.3:a:nodejs:node.js:10.18.1
-
cpe:2.3:a:nodejs:node.js:10.19.0
-
cpe:2.3:a:nodejs:node.js:10.2.0
-
cpe:2.3:a:nodejs:node.js:10.2.1
-
cpe:2.3:a:nodejs:node.js:10.20.0
-
cpe:2.3:a:nodejs:node.js:10.20.1
-
cpe:2.3:a:nodejs:node.js:10.3.0
-
cpe:2.3:a:nodejs:node.js:10.4.0
-
cpe:2.3:a:nodejs:node.js:10.4.1
-
cpe:2.3:a:nodejs:node.js:10.5.0
-
cpe:2.3:a:nodejs:node.js:10.6.0
-
cpe:2.3:a:nodejs:node.js:10.7.0
-
cpe:2.3:a:nodejs:node.js:10.8.0
-
cpe:2.3:a:nodejs:node.js:10.9.0
-
cpe:2.3:a:nodejs:node.js:12.0.0
-
cpe:2.3:a:nodejs:node.js:12.1.0
-
cpe:2.3:a:nodejs:node.js:12.10.0
-
cpe:2.3:a:nodejs:node.js:12.11.0
-
cpe:2.3:a:nodejs:node.js:12.11.1
-
cpe:2.3:a:nodejs:node.js:12.12.0
-
cpe:2.3:a:nodejs:node.js:12.13.0
-
cpe:2.3:a:nodejs:node.js:12.13.1
-
cpe:2.3:a:nodejs:node.js:12.14.0
-
cpe:2.3:a:nodejs:node.js:12.14.1
-
cpe:2.3:a:nodejs:node.js:12.15.0
-
cpe:2.3:a:nodejs:node.js:12.16.0
-
cpe:2.3:a:nodejs:node.js:12.16.1
-
cpe:2.3:a:nodejs:node.js:12.16.2
-
cpe:2.3:a:nodejs:node.js:12.16.3
-
cpe:2.3:a:nodejs:node.js:12.17.0
-
cpe:2.3:a:nodejs:node.js:12.2.0
-
cpe:2.3:a:nodejs:node.js:12.3.0
-
cpe:2.3:a:nodejs:node.js:12.3.1
-
cpe:2.3:a:nodejs:node.js:12.4.0
-
cpe:2.3:a:nodejs:node.js:12.5.0
-
cpe:2.3:a:nodejs:node.js:12.6.0
-
cpe:2.3:a:nodejs:node.js:12.7.0
-
cpe:2.3:a:nodejs:node.js:12.8.0
-
cpe:2.3:a:nodejs:node.js:12.8.1
-
cpe:2.3:a:nodejs:node.js:12.9.0
-
cpe:2.3:a:nodejs:node.js:12.9.1
-
cpe:2.3:a:nodejs:node.js:14.0.0
-
cpe:2.3:a:nodejs:node.js:14.1.0
-
cpe:2.3:a:nodejs:node.js:14.2.0
-
cpe:2.3:a:nodejs:node.js:14.3.0
-
cpe:2.3:a:nodejs:node.js:14.4.0
-
cpe:2.3:a:oracle:banking_extensibility_workbench:14.3.0
-
cpe:2.3:a:oracle:banking_extensibility_workbench:14.4.0
-
cpe:2.3:a:oracle:blockchain_platform:-
-
cpe:2.3:a:oracle:enterprise_communications_broker:3.1.0
-
cpe:2.3:a:oracle:enterprise_communications_broker:3.2.0
-
cpe:2.3:a:oracle:graalvm:19.3.2
-
cpe:2.3:a:oracle:graalvm:20.1.0
-
cpe:2.3:a:oracle:mysql:7.3.0
-
cpe:2.3:a:oracle:mysql:7.3.1
-
cpe:2.3:a:oracle:mysql:7.3.10
-
cpe:2.3:a:oracle:mysql:7.3.11
-
cpe:2.3:a:oracle:mysql:7.3.12
-
cpe:2.3:a:oracle:mysql:7.3.13
-
cpe:2.3:a:oracle:mysql:7.3.14
-
cpe:2.3:a:oracle:mysql:7.3.15
-
cpe:2.3:a:oracle:mysql:7.3.16
-
cpe:2.3:a:oracle:mysql:7.3.17
-
cpe:2.3:a:oracle:mysql:7.3.18
-
cpe:2.3:a:oracle:mysql:7.3.19
-
cpe:2.3:a:oracle:mysql:7.3.2
-
cpe:2.3:a:oracle:mysql:7.3.20
-
cpe:2.3:a:oracle:mysql:7.3.21
-
cpe:2.3:a:oracle:mysql:7.3.22
-
cpe:2.3:a:oracle:mysql:7.3.23
-
cpe:2.3:a:oracle:mysql:7.3.24
-
cpe:2.3:a:oracle:mysql:7.3.25
-
cpe:2.3:a:oracle:mysql:7.3.26
-
cpe:2.3:a:oracle:mysql:7.3.27
-
cpe:2.3:a:oracle:mysql:7.3.28
-
cpe:2.3:a:oracle:mysql:7.3.29
-
cpe:2.3:a:oracle:mysql:7.3.3
-
cpe:2.3:a:oracle:mysql:7.3.30
-
cpe:2.3:a:oracle:mysql:7.3.4
-
cpe:2.3:a:oracle:mysql:7.3.5
-
cpe:2.3:a:oracle:mysql:7.3.6
-
cpe:2.3:a:oracle:mysql:7.3.7
-
cpe:2.3:a:oracle:mysql:7.3.8
-
cpe:2.3:a:oracle:mysql:7.3.9
-
cpe:2.3:a:oracle:mysql:7.4.0
-
cpe:2.3:a:oracle:mysql:7.4.1
-
cpe:2.3:a:oracle:mysql:7.4.10
-
cpe:2.3:a:oracle:mysql:7.4.11
-
cpe:2.3:a:oracle:mysql:7.4.12
-
cpe:2.3:a:oracle:mysql:7.4.13
-
cpe:2.3:a:oracle:mysql:7.4.14
-
cpe:2.3:a:oracle:mysql:7.4.15
-
cpe:2.3:a:oracle:mysql:7.4.16
-
cpe:2.3:a:oracle:mysql:7.4.17
-
cpe:2.3:a:oracle:mysql:7.4.18
-
cpe:2.3:a:oracle:mysql:7.4.19
-
cpe:2.3:a:oracle:mysql:7.4.2
-
cpe:2.3:a:oracle:mysql:7.4.20
-
cpe:2.3:a:oracle:mysql:7.4.21
-
cpe:2.3:a:oracle:mysql:7.4.22
-
cpe:2.3:a:oracle:mysql:7.4.23
-
cpe:2.3:a:oracle:mysql:7.4.24
-
cpe:2.3:a:oracle:mysql:7.4.25
-
cpe:2.3:a:oracle:mysql:7.4.26
-
cpe:2.3:a:oracle:mysql:7.4.27
-
cpe:2.3:a:oracle:mysql:7.4.28
-
cpe:2.3:a:oracle:mysql:7.4.29
-
cpe:2.3:a:oracle:mysql:7.4.3
-
cpe:2.3:a:oracle:mysql:7.4.4
-
cpe:2.3:a:oracle:mysql:7.4.5
-
cpe:2.3:a:oracle:mysql:7.4.6
-
cpe:2.3:a:oracle:mysql:7.4.7
-
cpe:2.3:a:oracle:mysql:7.4.8
-
cpe:2.3:a:oracle:mysql:7.4.9
-
cpe:2.3:a:oracle:mysql:7.5.0
-
cpe:2.3:a:oracle:mysql:7.5.1
-
cpe:2.3:a:oracle:mysql:7.5.10
-
cpe:2.3:a:oracle:mysql:7.5.11
-
cpe:2.3:a:oracle:mysql:7.5.12
-
cpe:2.3:a:oracle:mysql:7.5.13
-
cpe:2.3:a:oracle:mysql:7.5.14
-
cpe:2.3:a:oracle:mysql:7.5.15
-
cpe:2.3:a:oracle:mysql:7.5.16
-
cpe:2.3:a:oracle:mysql:7.5.17
-
cpe:2.3:a:oracle:mysql:7.5.18
-
cpe:2.3:a:oracle:mysql:7.5.19
-
cpe:2.3:a:oracle:mysql:7.5.2
-
cpe:2.3:a:oracle:mysql:7.5.3
-
cpe:2.3:a:oracle:mysql:7.5.4
-
cpe:2.3:a:oracle:mysql:7.5.5
-
cpe:2.3:a:oracle:mysql:7.5.6
-
cpe:2.3:a:oracle:mysql:7.5.7
-
cpe:2.3:a:oracle:mysql:7.5.8
-
cpe:2.3:a:oracle:mysql:7.5.9
-
cpe:2.3:a:oracle:mysql:7.6.0
-
cpe:2.3:a:oracle:mysql:7.6.1
-
cpe:2.3:a:oracle:mysql:7.6.10
-
cpe:2.3:a:oracle:mysql:7.6.11
-
cpe:2.3:a:oracle:mysql:7.6.12
-
cpe:2.3:a:oracle:mysql:7.6.13
-
cpe:2.3:a:oracle:mysql:7.6.14
-
cpe:2.3:a:oracle:mysql:7.6.15
-
cpe:2.3:a:oracle:mysql:7.6.2
-
cpe:2.3:a:oracle:mysql:7.6.3
-
cpe:2.3:a:oracle:mysql:7.6.4
-
cpe:2.3:a:oracle:mysql:7.6.5
-
cpe:2.3:a:oracle:mysql:7.6.6
-
cpe:2.3:a:oracle:mysql:7.6.7
-
cpe:2.3:a:oracle:mysql:7.6.8
-
cpe:2.3:a:oracle:mysql:7.6.9
-
cpe:2.3:a:oracle:mysql:8.0.0
-
cpe:2.3:a:oracle:mysql:8.0.1
-
cpe:2.3:a:oracle:mysql:8.0.10
-
cpe:2.3:a:oracle:mysql:8.0.11
-
cpe:2.3:a:oracle:mysql:8.0.12
-
cpe:2.3:a:oracle:mysql:8.0.13
-
cpe:2.3:a:oracle:mysql:8.0.14
-
cpe:2.3:a:oracle:mysql:8.0.15
-
cpe:2.3:a:oracle:mysql:8.0.16
-
cpe:2.3:a:oracle:mysql:8.0.17
-
cpe:2.3:a:oracle:mysql:8.0.18
-
cpe:2.3:a:oracle:mysql:8.0.19
-
cpe:2.3:a:oracle:mysql:8.0.2
-
cpe:2.3:a:oracle:mysql:8.0.20
-
cpe:2.3:a:oracle:mysql:8.0.21
-
cpe:2.3:a:oracle:mysql:8.0.3
-
cpe:2.3:a:oracle:mysql:8.0.4
-
cpe:2.3:a:oracle:mysql:8.0.5
-
cpe:2.3:o:debian:debian_linux:10.0
-
cpe:2.3:o:debian:debian_linux:9.0
-
cpe:2.3:o:fedoraproject:fedora:31
-
cpe:2.3:o:fedoraproject:fedora:33
-
cpe:2.3:o:opensuse:leap:15.1