QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2020-11080

Back to search

CVE-2020-11080

Published: Jun 3, 2020

Modified: Jun 9, 2025

PUBLISHED

CVSS v3.1

3.7

LOW

Description

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.

VendorProductVersions

nghttp2

nghttp2

affected
< 1.41.0

Weaknesses (CWE)

CWE-707

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

References

DSA-4696
vendor-advisory
openSUSE-SU-2020:0802
vendor-advisory
FEDORA-2020-f7d15c8b77
vendor-advisory
FEDORA-2020-43d5a372fc
vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now