FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

nghttp2 -- DoS vulnerability

Affected packages
libnghttp2 < 1.41.0
nghttp2 < 1.41.0

Details

VuXML ID 4bb56d2f-a5b0-11ea-a860-08002728f74c
Discovery 2020-06-02
Entry 2020-06-03

nghttp2 security advisories:

The overly large HTTP/2 SETTINGS frame payload causes denial of service.

The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%.

[source]

References

CVE Name CVE-2020-11080
URL https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.