Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2020-11080

Disclosure Date: June 03, 2020
CVE-2020-11080 CVSS v3 Base Score: 7.5
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
7.5 High
Impact Score:
3.6
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
None
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
nghttp2 < 1.41.0
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • debian,
  • fedoraproject,
  • nghttp2,
  • nodejs,
  • opensuse,
  • oracle

Products

  • banking extensibility workbench 14.3.0,
  • banking extensibility workbench 14.4.0,
  • blockchain platform,
  • debian linux 10.0,
  • debian linux 9.0,
  • enterprise communications broker 3.1.0,
  • enterprise communications broker 3.2.0,
  • fedora 31,
  • fedora 33,
  • graalvm 19.3.2,
  • graalvm 20.1.0,
  • leap 15.1,
  • mysql,
  • nghttp2,
  • node.js

References

Canonical
CVE-2020-11080 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11080)
Advisory
DSA-4696 (https://www.debian.org/security/2020/dsa-4696)
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html
FEDORA-2020-f7d15c8b77 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AAC2AA36OTRHKSVM5OV7TTVB3CZIGEFL)
https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr
FEDORA-2020-f7d15c8b77 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AAC2AA36OTRHKSVM5OV7TTVB3CZIGEFL/)
FEDORA-2020-43d5a372fc (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/)
[debian-lts-announce] 20211017 [SECURITY] [DLA 2786-1] nghttp2 security update (https://lists.debian.org/debian-lts-announce/2021/10/msg00011.html)
[debian-lts-announce] 20231016 [SECURITY] [DLA 3621-1] nghttp2 security update (https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html)
Miscellaneous
https://www.oracle.com/security-alerts/cpujul2020.html
https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090
https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis