CVE-2020-11080: Denial of service in nghttp2
Published Jun 2, 2020
·Updated
A resource consumption vulnerability was found in nghttp2. This flaw allows an attacker to repeatedly construct an overly large HTTP/2 SETTINGS frame with a length of 14,400 bytes that causes excessive CPU usage, leading to a denial of service.
Affected Software
46 affected componentsFixes available
redhat/jbcs-httpd24-curl<0:7.64.1-36.jbcs.el6
0:7.64.1-36.jbcs.el6
redhat/jbcs-httpd24-httpd<0:2.4.37-57.jbcs.el6
0:2.4.37-57.jbcs.el6
redhat/jbcs-httpd24-nghttp2<0:1.39.2-25.jbcs.el6
0:1.39.2-25.jbcs.el6
redhat/jbcs-httpd24-curl<0:7.64.1-36.jbcs.el7
0:7.64.1-36.jbcs.el7
redhat/jbcs-httpd24-httpd<0:2.4.37-57.jbcs.el7
0:2.4.37-57.jbcs.el7
redhat/jbcs-httpd24-nghttp2<0:1.39.2-25.jbcs.el7
0:1.39.2-25.jbcs.el7
redhat/jbcs-httpd24-openssl-pkcs11<0:0.4.10-7.jbcs.el7
0:0.4.10-7.jbcs.el7
redhat/servicemesh-proxy<0:1.0.10-3.el8
0:1.0.10-3.el8
redhat/servicemesh-proxy<0:1.1.2-3.el8
0:1.1.2-3.el8
redhat/nghttp2<0:1.33.0-3.el8_2.1
0:1.33.0-3.el8_2.1
redhat/nghttp2<0:1.33.0-1.el8_0.2
0:1.33.0-1.el8_0.2
redhat/nghttp2<0:1.33.0-3.el8_1.1
0:1.33.0-3.el8_1.1
redhat/httpd24-nghttp2<0:1.7.1-8.el6.1
0:1.7.1-8.el6.1
redhat/httpd24-nghttp2<0:1.7.1-8.el7.1
0:1.7.1-8.el7.1
redhat/rh-nodejs12-nodejs<0:12.18.2-1.el7
0:12.18.2-1.el7
redhat/rh-nodejs10-nodejs<0:10.21.0-3.el7
0:10.21.0-3.el7
debian/nodejs<=10.20.1~dfsg-1, <=10.19.0~dfsg1-1
10.21.0~dfsg-112.18.0~dfsg-110.21.0~dfsg-1~deb10u1
debian/nghttp2<=1.36.0-2+deb10u1
1.36.0-2+deb10u21.43.0-11.52.0-11.58.0-1
debian/nodejs
10.24.0~dfsg-1~deb10u110.24.0~dfsg-1~deb10u312.22.12~dfsg-1~deb11u418.13.0+dfsg1-1
redhat/nghttp2<1.41.0
1.41.0
redhat/node<10.21.0
10.21.0
redhat/node<12.18.0
12.18.0
redhat/node<14.4.0
14.4.0
nghttp2 nghttp2<1.41.0
Debian Debian Linux=9.0
Debian Debian Linux=10.0
openSUSE Leap=15.1
Fedoraproject Fedora=31
Fedoraproject Fedora=33
Oracle Banking Extensibility Workbench=14.3.0
Oracle Banking Extensibility Workbench=14.4.0
Oracle Blockchain Platform<21.1.2
Oracle Enterprise Communications Broker=3.1.0
Oracle Enterprise Communications Broker=3.2.0
Oracle GraalVM=19.3.2
Oracle GraalVM=20.1.0
Oracle MySQL>=7.3.0<=7.3.30
Oracle MySQL>=7.4.0<=7.4.29
Oracle MySQL>=7.5.0<=7.5.19
Oracle MySQL>=7.6.0<=7.6.15
Oracle MySQL>=8.0.0<=8.0.21
Nodejs Node.js>=10.0.0<=10.12.0
Nodejs Node.js>=10.13.0<10.21.0
Nodejs Node.js>=12.0.0<=12.12.0
Nodejs Node.js>=12.13.0<12.18.0
Nodejs Node.js>=14.0.0<=14.4.0
Remediation
Patch Available
Event History
Jun 2, 2020
CVE Published
12:00 AM
Jun 3, 2020
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
DescriptionSeverityWeakness
Frequently Asked Questions
1
What is the severity of CVE-2020-11080?
The severity of CVE-2020-11080 is classified as a denial of service vulnerability due to excessive CPU consumption.
2
How do I fix CVE-2020-11080?
To fix CVE-2020-11080, update nghttp2 to version 1.41.0 or later.
3
Which versions of nghttp2 are affected by CVE-2020-11080?
CVE-2020-11080 affects nghttp2 versions prior to 1.41.0.
4
What type of vulnerability is CVE-2020-11080?
CVE-2020-11080 is a resource consumption vulnerability allowing for denial of service.
5
Is this vulnerability specific to certain operating systems or distributions?
Yes, CVE-2020-11080 affects multiple Red Hat and Debian distributions.