nghttp2 nghttp2 CVE-2020-11080 vulnerability in Nghttp2 and Other Products
Published on June 3, 2020

product logo product logo product logo product logo product logo product logo product logo product logo
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2020-11080 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
LOW

Weakness Type

Improper Neutralization

The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.


Products Associated with CVE-2020-11080

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2020-11080 are published in these products:

Nghttp2
 
Oracle Enterprise Communications Broker
 
Oracle MySQL
 
Debian Linux
 
Fedora Project Fedora
 
OpenSuse Leap
 
Oracle Banking Extensibility Workbench
 
Oracle GraalVM
 
Oracle Blockchain Platform
 
nodejs node.js
 

Affected Versions

nghttp2 Version < 1.41.0 is affected by CVE-2020-11080

Exploit Probability

EPSS
0.68%
Percentile
71.17%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.