CVE-2020-11080

Denial of service in nghttp2

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.

En nghttp2 versiones anteriores a 1.41.0, la carga útil de la trama HTTP/2 SETTINGS demasiado grande causa una denegación de servicio. El ataque de prueba de concepto involucra a un cliente malicioso que construye una trama SETTINGS con una longitud de 14,400 bytes (2400 entradas de configuraciones individuales) una y otra vez. El ataque causa que la CPU se aumente al 100%. nghttp2 versión v1.41.0 corrige esta vulnerabilidad. Existe una solución alternativa a esta vulnerabilidad. Implemente la función nghttp2_on_frame_recv_callback callback, y si la trama es recibida es la trama SETTINGS y el número de entradas de configuración es grande (por ejemplo, mayor a 32), luego desconecte la conexión

A resource consumption vulnerability was found in nghttp2. This flaw allows an attacker to repeatedly construct an overly large HTTP/2 SETTINGS frame with a length of 14,400 bytes that causes excessive CPU usage, leading to a denial of service.

Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release adds the new Apache HTTP Server 2.4.37 Service Pack 3 packages that are part of the JBoss Core Services offering. This release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 2 and includes bug fixes and enhancements. Issues addressed include buffer over-read, denial of service, and memory leak vulnerabilities.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-03-30 CVE Reserved
2020-06-03 CVE Published
2024-08-04 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-707: Improper Neutralization
CWE-770: Allocation of Resources Without Limits or Throttling

CAPEC

References (16)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2021/10/msg00011.html	Mailing List
https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html	Mailing List
https://www.oracle.com//security-alerts/cpujul2021.html	Not Applicable
https://www.oracle.com/security-alerts/cpujan2021.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090	2023-11-07
https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394	2023-11-07
https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr	2023-11-07
https://www.oracle.com/security-alerts/cpuapr2022.html	2023-11-07

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AAC2AA36OTRHKSVM5OV7TTVB3CZIGEFL	2023-11-07
https://www.debian.org/security/2020/dsa-4696	2023-11-07
https://access.redhat.com/security/cve/CVE-2020-11080	2020-07-21
https://bugzilla.redhat.com/show_bug.cgi?id=1844929	2020-07-21

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Nghttp2 Search vendor "Nghttp2"		Nghttp2 Search vendor "Nghttp2" for product "Nghttp2"				< 1.41.0 Search vendor "Nghttp2" for product "Nghttp2" and version " < 1.41.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.1 Search vendor "Opensuse" for product "Leap" and version "15.1"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				31 Search vendor "Fedoraproject" for product "Fedora" and version "31"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				33 Search vendor "Fedoraproject" for product "Fedora" and version "33"		-		Affected
Oracle Search vendor "Oracle"		Banking Extensibility Workbench Search vendor "Oracle" for product "Banking Extensibility Workbench"				14.3.0 Search vendor "Oracle" for product "Banking Extensibility Workbench" and version "14.3.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Extensibility Workbench Search vendor "Oracle" for product "Banking Extensibility Workbench"				14.4.0 Search vendor "Oracle" for product "Banking Extensibility Workbench" and version "14.4.0"		-		Affected
Oracle Search vendor "Oracle"		Blockchain Platform Search vendor "Oracle" for product "Blockchain Platform"				< 21.1.2 Search vendor "Oracle" for product "Blockchain Platform" and version " < 21.1.2"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Communications Broker Search vendor "Oracle" for product "Enterprise Communications Broker"				3.1.0 Search vendor "Oracle" for product "Enterprise Communications Broker" and version "3.1.0"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Communications Broker Search vendor "Oracle" for product "Enterprise Communications Broker"				3.2.0 Search vendor "Oracle" for product "Enterprise Communications Broker" and version "3.2.0"		-		Affected
Oracle Search vendor "Oracle"		Graalvm Search vendor "Oracle" for product "Graalvm"				19.3.2 Search vendor "Oracle" for product "Graalvm" and version "19.3.2"		enterprise		Affected
Oracle Search vendor "Oracle"		Graalvm Search vendor "Oracle" for product "Graalvm"				20.1.0 Search vendor "Oracle" for product "Graalvm" and version "20.1.0"		enterprise		Affected
Oracle Search vendor "Oracle"		Mysql Search vendor "Oracle" for product "Mysql"				>= 7.3.0 <= 7.3.30 Search vendor "Oracle" for product "Mysql" and version " >= 7.3.0 <= 7.3.30"		-		Affected
Oracle Search vendor "Oracle"		Mysql Search vendor "Oracle" for product "Mysql"				>= 7.4.0 <= 7.4.29 Search vendor "Oracle" for product "Mysql" and version " >= 7.4.0 <= 7.4.29"		-		Affected
Oracle Search vendor "Oracle"		Mysql Search vendor "Oracle" for product "Mysql"				>= 7.5.0 <= 7.5.19 Search vendor "Oracle" for product "Mysql" and version " >= 7.5.0 <= 7.5.19"		-		Affected
Oracle Search vendor "Oracle"		Mysql Search vendor "Oracle" for product "Mysql"				>= 7.6.0 <= 7.6.15 Search vendor "Oracle" for product "Mysql" and version " >= 7.6.0 <= 7.6.15"		-		Affected
Oracle Search vendor "Oracle"		Mysql Search vendor "Oracle" for product "Mysql"				>= 8.0.0 <= 8.0.21 Search vendor "Oracle" for product "Mysql" and version " >= 8.0.0 <= 8.0.21"		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 10.0.0 <= 10.12.0 Search vendor "Nodejs" for product "Node.js" and version " >= 10.0.0 <= 10.12.0"		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 10.13.0 < 10.21.0 Search vendor "Nodejs" for product "Node.js" and version " >= 10.13.0 < 10.21.0"		lts		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 12.0.0 <= 12.12.0 Search vendor "Nodejs" for product "Node.js" and version " >= 12.0.0 <= 12.12.0"		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 12.13.0 < 12.18.0 Search vendor "Nodejs" for product "Node.js" and version " >= 12.13.0 < 12.18.0"		lts		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 14.0.0 <= 14.4.0 Search vendor "Nodejs" for product "Node.js" and version " >= 14.0.0 <= 14.4.0"		-		Affected