CVE-2020-11080: In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious…

high7.5CVSS 3.1

AVNACLPRNUINSUCNINAH

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.

Affected

36 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	nghttp2	< nghttp2 1.41.0-1 (bookworm)	nghttp2 1.41.0-1 (bookworm)
debian	nodejs	< nghttp2 1.41.0-1 (bookworm)	nghttp2 1.41.0-1 (bookworm)
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
msrc	cbl_mariner_1.0_arm	—	—
msrc	cbl_mariner_1.0_x64	—	—
msrc	cm1_nghttp2_1.41.0-1_on_cbl_mariner_1.0	—	—
nghttp2	nghttp2	< 1.41.0	1.41.0
nghttp2	nghttp2	>= 0 < 1.41.0-1	1.41.0-1
nghttp2	nghttp2	>= 0 < 1.41.0-1	1.41.0-1
nghttp2	nghttp2	>= 0 < 1.41.0-1	1.41.0-1
nghttp2	nghttp2	>= 0 < 1.41.0-1	1.41.0-1
nodejs	node.js	10.0.0 – 10.12.0	—
nodejs	node.js	>= 10.13.0 < 10.21.0	10.21.0
nodejs	node.js	12.0.0 – 12.12.0	—
nodejs	node.js	>= 12.13.0 < 12.18.0	12.18.0
nodejs	node.js	14.0.0 – 14.4.0	—
nodejs	nodejs	>= 0 < 10.21.0~dfsg-1	10.21.0~dfsg-1
nodejs	nodejs	>= 0 < 10.21.0~dfsg-1	10.21.0~dfsg-1
nodejs	nodejs	>= 0 < 10.21.0~dfsg-1	10.21.0~dfsg-1
nodejs	nodejs	>= 0 < 10.21.0~dfsg-1	10.21.0~dfsg-1
opensuse	leap	—	—
oracle	banking_extensibility_workbench	—	—

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

osv7.5HIGH