CVE-2020-11080

HIGH7.5EPSS 1.2%

nghttp2 - security update

發布日:2020/6/3修改日:2026/3/9

也稱為:ALPINE-CVE-2020-11080DEBIAN-CVE-2020-11080DLA-3621-1

描述

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.

受影響套件(8)

Alpine/nghttp2from 0, < 1.39.2-r1
Alpine/nodejsfrom 0, < 12.20.1-r0
Bitnami/node>= 10.13.0, < 10.21.0, >= 12.13.0, < 12.18.0, >= 14.0.0, < 14.4.1
Bitnami/node-min>= 10.0.0, < 10.12.1, >= 10.13.0, < 10.21.0, >= 12.0.0, < 12.12.1, >= 12.13.0, < 12.18.0, >= 14.0.0, < 14.4.1
Debian/nghttp2from 0, < 1.36.0-2+deb10u2
Debian/nghttp2from 0, < 1.41.0-1
Debian/nodejsfrom 0, < 10.21.0~dfsg-1~deb10u1
Debian/nodejsfrom 0, < 10.21.0~dfsg-1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

描述

受影響套件(8)

CVSS 分數

參考連結(17)