Home

CVE-2020-11080

Description

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.

Risk Information

Base Score
7.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
Exploitation Probability
0.683

Associated Vulnerability

VulnerabilityOS Platform
Multiple Vulnerabilities are affected in Mysql 8.0.21Windows
Multiple Vulnerabilities are affected in Mysql 8.0.5Windows
Vulnerabilities CVE-2020-8172,CVE-2020-11080,CVE-2020-8174,CVE-2020-10531 are fixed in Node.js 12 (x64) (12.18.0)Windows
Vulnerabilities CVE-2020-8172,CVE-2020-11080,CVE-2020-8174,CVE-2020-10531 are fixed in Node.js 12 (12.18.0)Windows
Vulnerabilities CVE-2020-8172,CVE-2020-11080,CVE-2020-8174,CVE-2020-10531 are fixed in Node.js 14 (14.21.3)Windows
Vulnerabilities CVE-2020-8172,CVE-2020-11080,CVE-2020-8174,CVE-2020-10531 are fixed in Node.js 14 (x64) (14.21.3)Windows
Vulnerabilities CVE-2020-8172,CVE-2020-11080,CVE-2020-8174,CVE-2020-10531 are fixed in Node.js 10 (x64) (10.21.0)Windows
Vulnerabilities CVE-2020-8172,CVE-2020-11080,CVE-2020-8174,CVE-2020-10531 are fixed in Node.js 10 (10.21.0)Windows
Vulnerabilities CVE-2020-8172,CVE-2020-11080,CVE-2020-8174,CVE-2020-10531 are fixed in Node.js 10 (x64) (10.24.1)Windows
Vulnerabilities CVE-2019-17560,CVE-2020-11080,CVE-2020-14583,CVE-2020-14718 are affected in Oracle GraalVM Enterprise Edition 19.3.2Windows
Vulnerabilities CVE-2019-17560,CVE-2020-11080,CVE-2020-14583,CVE-2020-14718 are affected in Oracle GraalVM Enterprise Edition 20.1.0Windows
nodejs security update(DSA-4696-1) nodejs_10.21.0~dfsg-1~deb10u1_i386.debLinux
nodejs security update(DSA-4696-1) nodejs_10.21.0~dfsg-1~deb10u1_amd64.debLinux
(RHSA-2020:2755) nghttp2 security update libnghttp2-1.33.0-3.el8_2.1.i686.rpmLinux
(RHSA-2020:2755) nghttp2 security update libnghttp2-1.33.0-3.el8_2.1.x86_64.rpmLinux
(RHSA-2020:2755) nghttp2 security update nghttp2-debugsource-1.33.0-3.el8_2.1.i686.rpmLinux
(RHSA-2020:2755) nghttp2 security update nghttp2-debugsource-1.33.0-3.el8_2.1.x86_64.rpmLinux
(RHSA-2020:2848) nodejs:10 security update nodejs-10.21.0-3.module+el8.2.0+7071+d2377ea3.x86_64.rpmLinux
(RHSA-2020:2848) nodejs:10 security update nodejs-debugsource-10.21.0-3.module+el8.2.0+7071+d2377ea3.x86_64.rpmLinux
(RHSA-2020:2848) nodejs:10 security update nodejs-devel-10.21.0-3.module+el8.2.0+7071+d2377ea3.x86_64.rpmLinux
(RHSA-2020:2848) nodejs:10 security update nodejs-docs-10.21.0-3.module+el8.2.0+7071+d2377ea3.noarch.rpmLinux
(RHSA-2020:2848) nodejs:10 security update nodejs-full-i18n-10.21.0-3.module+el8.2.0+7071+d2377ea3.x86_64.rpmLinux
(RHSA-2020:2848) nodejs:10 security update npm-6.14.4-1.10.21.0.3.module+el8.2.0+7071+d2377ea3.x86_64.rpmLinux
(RHSA-2020:2852) nodejs:12 security update nodejs-12.18.2-1.module+el8.2.0+7233+61d664c1.x86_64.rpmLinux
(RHSA-2020:2852) nodejs:12 security update nodejs-debugsource-12.18.2-1.module+el8.2.0+7233+61d664c1.x86_64.rpmLinux
(RHSA-2020:2852) nodejs:12 security update nodejs-devel-12.18.2-1.module+el8.2.0+7233+61d664c1.x86_64.rpmLinux
(RHSA-2020:2852) nodejs:12 security update nodejs-docs-12.18.2-1.module+el8.2.0+7233+61d664c1.noarch.rpmLinux
(RHSA-2020:2852) nodejs:12 security update nodejs-full-i18n-12.18.2-1.module+el8.2.0+7233+61d664c1.x86_64.rpmLinux
(RHSA-2020:2852) nodejs:12 security update npm-6.14.5-1.12.18.2.1.module+el8.2.0+7233+61d664c1.x86_64.rpmLinux
Libnghttp2 update (ELSA-2020-2755) libnghttp2-1.33.0-3.el8_2.1.x86_64.rpmLinux
Libnghttp2-devel update (ELSA-2020-2755) libnghttp2-devel-1.33.0-3.el8_2.1.x86_64.rpmLinux
Nghttp2 update (ELSA-2020-2755) nghttp2-1.33.0-3.el8_2.1.x86_64.rpmLinux
Libnghttp2 update (ELSA-2020-2755) libnghttp2-1.33.0-3.el8_2.1.i686.rpmLinux
Libnghttp2-devel update (ELSA-2020-2755) libnghttp2-devel-1.33.0-3.el8_2.1.i686.rpmLinux
SUSE-SU-2021:0932-1(SUSE Linux Enterprise Server 12-SP5 ) libnghttp2-14-1.39.2-3.5.1.x86_64.rpmLinux
SUSE-SU-2021:0932-1(SUSE Linux Enterprise Server 12-SP5 ) libnghttp2-14-32bit-1.39.2-3.5.1.x86_64.rpmLinux
SUSE-SU-2021:0932-1(SUSE Linux Enterprise Server 12-SP5 ) libnghttp2-14-debuginfo-1.39.2-3.5.1.x86_64.rpmLinux
SUSE-SU-2021:0932-1(SUSE Linux Enterprise Server 12-SP5 ) libnghttp2-14-debuginfo-32bit-1.39.2-3.5.1.x86_64.rpmLinux
SUSE-SU-2021:0932-1(SUSE Linux Enterprise Server 12-SP5 ) nghttp2-debuginfo-1.39.2-3.5.1.x86_64.rpmLinux
SUSE-SU-2021:0932-1(SUSE Linux Enterprise Server 12-SP5 ) nghttp2-debugsource-1.39.2-3.5.1.x86_64.rpmLinux
(CESA-2020:2755) nghttp2 security update libnghttp2-1.33.0-3.el8_2.1.i686.rpmLinux
(CESA-2020:2755) nghttp2 security update libnghttp2-1.33.0-3.el8_2.1.x86_64.rpmLinux
Libnghttp2 update (ELSA-2023-5837) libnghttp2-1.33.0-5.el8_8.i686.rpmLinux
Libnghttp2 update (ELSA-2023-5837) libnghttp2-1.33.0-5.el8_8.x86_64.rpmLinux
Multiple Vulnerabilities are affected in Mysql 8.0.21 (For Linux)Linux
Multiple Vulnerabilities are affected in Mysql 8.0.5 (For Linux)Linux
HTTP/2 C Library and tools (USN-6142-1) libnghttp2-dev_1.40.0-1ubuntu0.1_i386.debLinux
HTTP/2 C Library and tools (USN-6142-1) libnghttp2-dev_1.40.0-1ubuntu0.1_amd64.debLinux
nghttp2 security update (RLSA-2020:2755) libnghttp2-1.33.0-3.el8_3.1.i686.rpmLinux
nghttp2 security update (RLSA-2020:2755) libnghttp2-1.33.0-3.el8_3.1.x86_64.rpmLinux
Nodejs-nodemon update (ELSA-2020-2848) nodejs-nodemon-1.18.3-1.module+el8.1.0+5392+4d6b561f.noarch.rpmLinux
Nodejs-packaging update (ELSA-2020-2848) nodejs-packaging-17-3.module+el8.1.0+5392+4d6b561f.noarch.rpmLinux

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-324371Node.js 12 (x64) (12.22.12)
PATCH-324370Node.js 12 (12.22.12)
PATCH-329082Node.js 14 (14.21.3)
PATCH-329083Node.js 14 (x64) (14.21.3)
PATCH-319043Node.js 10 (x64) (10.24.1)
PATCH-319042Node.js 10 (10.24.1)
PATCH-319043Node.js 10 (x64) (10.24.1)

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234