Fluid Attacks Database

Description

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
alpine v3.16	nghttp2	=1.10.0-r0 \|\| =1.11.0-r0 \|\| =1.11.1-r0 \|\| =1.12.0-r0 \|\| =1.13.0-r0 \|\| =1.14.0-r0 \|\| =1.14.1-r0 \|\| =1.15.0-r0 \|\| =1.15.0-r1 \|\| =1.16.0-r0 \|\| =1.16.1-r0 \|\| =1.17.0-r0 \|\| =1.18.0-r0 \|\| =1.18.0-r1 \|\| =1.18.1-r0 \|\| =1.2.0-r0 \|\| =1.20.0-r0 \|\| =1.21.0-r0 \|\| =1.21.1-r0 \|\| =1.21.1-r1 \|\| =1.22.0-r0 \|\| =1.23.1-r0 \|\| =1.24.0-r0 \|\| =1.25.0-r0 \|\| =1.26.0-r0 \|\| =1.27.0-r0 \|\| =1.27.0-r1 \|\| =1.28.0-r0 \|\| =1.29.0-r0 \|\| =1.3.0-r0 \|\| =1.3.2-r0 \|\| =1.3.4-r0 \|\| =1.30.0-r0 \|\| =1.31.0-r0 \|\| =1.31.0-r1 \|\| =1.31.1-r0 \|\| =1.32.0-r0 \|\| =1.33.0-r0 \|\| =1.33.0-r1 \|\| =1.34.0-r0 \|\| =1.35.1-r0 \|\| =1.36.0-r0 \|\| =1.37.0-r0 \|\| =1.37.0-r1 \|\| =1.38.0-r0 \|\| =1.39.1-r0 \|\| =1.39.2-r0 \|\| =1.39.2-r1 \|\| =1.39.2-r2 \|\| =1.40.0-r0 \|\| =1.5.0-r0 \|\| =1.6.0-r0 \|\| =1.7.0-r0 \|\| =1.7.1-r0 \|\| =1.8.0-r0 \|\| =1.9.1-r0 \|\| =1.9.2-r0 \|\| >=0 <1.41.0-r0	1.41.0-r0
alpine v3.18	nghttp2	=1.10.0-r0 \|\| =1.11.0-r0 \|\| =1.11.1-r0 \|\| =1.12.0-r0 \|\| =1.13.0-r0 \|\| =1.14.0-r0 \|\| =1.14.1-r0 \|\| =1.15.0-r0 \|\| =1.15.0-r1 \|\| =1.16.0-r0 \|\| =1.16.1-r0 \|\| =1.17.0-r0 \|\| =1.18.0-r0 \|\| =1.18.0-r1 \|\| =1.18.1-r0 \|\| =1.2.0-r0 \|\| =1.20.0-r0 \|\| =1.21.0-r0 \|\| =1.21.1-r0 \|\| =1.21.1-r1 \|\| =1.22.0-r0 \|\| =1.23.1-r0 \|\| =1.24.0-r0 \|\| =1.25.0-r0 \|\| =1.26.0-r0 \|\| =1.27.0-r0 \|\| =1.27.0-r1 \|\| =1.28.0-r0 \|\| =1.29.0-r0 \|\| =1.3.0-r0 \|\| =1.3.2-r0 \|\| =1.3.4-r0 \|\| =1.30.0-r0 \|\| =1.31.0-r0 \|\| =1.31.0-r1 \|\| =1.31.1-r0 \|\| =1.32.0-r0 \|\| =1.33.0-r0 \|\| =1.33.0-r1 \|\| =1.34.0-r0 \|\| =1.35.1-r0 \|\| =1.36.0-r0 \|\| =1.37.0-r0 \|\| =1.37.0-r1 \|\| =1.38.0-r0 \|\| =1.39.1-r0 \|\| =1.39.2-r0 \|\| =1.39.2-r1 \|\| =1.39.2-r2 \|\| =1.40.0-r0 \|\| =1.5.0-r0 \|\| =1.6.0-r0 \|\| =1.7.0-r0 \|\| =1.7.1-r0 \|\| =1.8.0-r0 \|\| =1.9.1-r0 \|\| =1.9.2-r0 \|\| >=0 <1.41.0-r0	1.41.0-r0
alpine v3.19	nghttp2	=1.10.0-r0 \|\| =1.11.0-r0 \|\| =1.11.1-r0 \|\| =1.12.0-r0 \|\| =1.13.0-r0 \|\| =1.14.0-r0 \|\| =1.14.1-r0 \|\| =1.15.0-r0 \|\| =1.15.0-r1 \|\| =1.16.0-r0 \|\| =1.16.1-r0 \|\| =1.17.0-r0 \|\| =1.18.0-r0 \|\| =1.18.0-r1 \|\| =1.18.1-r0 \|\| =1.2.0-r0 \|\| =1.20.0-r0 \|\| =1.21.0-r0 \|\| =1.21.1-r0 \|\| =1.21.1-r1 \|\| =1.22.0-r0 \|\| =1.23.1-r0 \|\| =1.24.0-r0 \|\| =1.25.0-r0 \|\| =1.26.0-r0 \|\| =1.27.0-r0 \|\| =1.27.0-r1 \|\| =1.28.0-r0 \|\| =1.29.0-r0 \|\| =1.3.0-r0 \|\| =1.3.2-r0 \|\| =1.3.4-r0 \|\| =1.30.0-r0 \|\| =1.31.0-r0 \|\| =1.31.0-r1 \|\| =1.31.1-r0 \|\| =1.32.0-r0 \|\| =1.33.0-r0 \|\| =1.33.0-r1 \|\| =1.34.0-r0 \|\| =1.35.1-r0 \|\| =1.36.0-r0 \|\| =1.37.0-r0 \|\| =1.37.0-r1 \|\| =1.38.0-r0 \|\| =1.39.1-r0 \|\| =1.39.2-r0 \|\| =1.39.2-r1 \|\| =1.39.2-r2 \|\| =1.40.0-r0 \|\| =1.5.0-r0 \|\| =1.6.0-r0 \|\| =1.7.0-r0 \|\| =1.7.1-r0 \|\| =1.8.0-r0 \|\| =1.9.1-r0 \|\| =1.9.2-r0 \|\| >=0 <1.41.0-r0	1.41.0-r0
alpine v3.20	nghttp2	=1.10.0-r0 \|\| =1.11.0-r0 \|\| =1.11.1-r0 \|\| =1.12.0-r0 \|\| =1.13.0-r0 \|\| =1.14.0-r0 \|\| =1.14.1-r0 \|\| =1.15.0-r0 \|\| =1.15.0-r1 \|\| =1.16.0-r0 \|\| =1.16.1-r0 \|\| =1.17.0-r0 \|\| =1.18.0-r0 \|\| =1.18.0-r1 \|\| =1.18.1-r0 \|\| =1.2.0-r0 \|\| =1.20.0-r0 \|\| =1.21.0-r0 \|\| =1.21.1-r0 \|\| =1.21.1-r1 \|\| =1.22.0-r0 \|\| =1.23.1-r0 \|\| =1.24.0-r0 \|\| =1.25.0-r0 \|\| =1.26.0-r0 \|\| =1.27.0-r0 \|\| =1.27.0-r1 \|\| =1.28.0-r0 \|\| =1.29.0-r0 \|\| =1.3.0-r0 \|\| =1.3.2-r0 \|\| =1.3.4-r0 \|\| =1.30.0-r0 \|\| =1.31.0-r0 \|\| =1.31.0-r1 \|\| =1.31.1-r0 \|\| =1.32.0-r0 \|\| =1.33.0-r0 \|\| =1.33.0-r1 \|\| =1.34.0-r0 \|\| =1.35.1-r0 \|\| =1.36.0-r0 \|\| =1.37.0-r0 \|\| =1.37.0-r1 \|\| =1.38.0-r0 \|\| =1.39.1-r0 \|\| =1.39.2-r0 \|\| =1.39.2-r1 \|\| =1.39.2-r2 \|\| =1.40.0-r0 \|\| =1.5.0-r0 \|\| =1.6.0-r0 \|\| =1.7.0-r0 \|\| =1.7.1-r0 \|\| =1.8.0-r0 \|\| =1.9.1-r0 \|\| =1.9.2-r0 \|\| >=0 <1.41.0-r0	1.41.0-r0
alpine v3.11	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <12.20.1-r0	12.20.1-r0
alpine v3.13	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.14.1-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.15.0-r2 \|\| =12.16.2-r0 \|\| =12.16.3-r0 \|\| =12.16.3-r1 \|\| =12.17.0-r0 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <12.18.0-r0	12.18.0-r0
alpine v3.14	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.14.1-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.15.0-r2 \|\| =12.16.2-r0 \|\| =12.16.3-r0 \|\| =12.16.3-r1 \|\| =12.17.0-r0 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <12.18.0-r0	12.18.0-r0
alpine v3.12	nghttp2	=1.10.0-r0 \|\| =1.11.0-r0 \|\| =1.11.1-r0 \|\| =1.12.0-r0 \|\| =1.13.0-r0 \|\| =1.14.0-r0 \|\| =1.14.1-r0 \|\| =1.15.0-r0 \|\| =1.15.0-r1 \|\| =1.16.0-r0 \|\| =1.16.1-r0 \|\| =1.17.0-r0 \|\| =1.18.0-r0 \|\| =1.18.0-r1 \|\| =1.18.1-r0 \|\| =1.2.0-r0 \|\| =1.20.0-r0 \|\| =1.21.0-r0 \|\| =1.21.1-r0 \|\| =1.21.1-r1 \|\| =1.22.0-r0 \|\| =1.23.1-r0 \|\| =1.24.0-r0 \|\| =1.25.0-r0 \|\| =1.26.0-r0 \|\| =1.27.0-r0 \|\| =1.27.0-r1 \|\| =1.28.0-r0 \|\| =1.29.0-r0 \|\| =1.3.0-r0 \|\| =1.3.2-r0 \|\| =1.3.4-r0 \|\| =1.30.0-r0 \|\| =1.31.0-r0 \|\| =1.31.0-r1 \|\| =1.31.1-r0 \|\| =1.32.0-r0 \|\| =1.33.0-r0 \|\| =1.33.0-r1 \|\| =1.34.0-r0 \|\| =1.35.1-r0 \|\| =1.36.0-r0 \|\| =1.37.0-r0 \|\| =1.37.0-r1 \|\| =1.38.0-r0 \|\| =1.39.1-r0 \|\| =1.39.2-r0 \|\| =1.39.2-r1 \|\| =1.39.2-r2 \|\| =1.40.0-r0 \|\| =1.5.0-r0 \|\| =1.6.0-r0 \|\| =1.7.0-r0 \|\| =1.7.1-r0 \|\| =1.8.0-r0 \|\| =1.9.1-r0 \|\| =1.9.2-r0 \|\| >=0 <1.41.0-r0	1.41.0-r0
alpine v3.22	nghttp2	=1.10.0-r0 \|\| =1.11.0-r0 \|\| =1.11.1-r0 \|\| =1.12.0-r0 \|\| =1.13.0-r0 \|\| =1.14.0-r0 \|\| =1.14.1-r0 \|\| =1.15.0-r0 \|\| =1.15.0-r1 \|\| =1.16.0-r0 \|\| =1.16.1-r0 \|\| =1.17.0-r0 \|\| =1.18.0-r0 \|\| =1.18.0-r1 \|\| =1.18.1-r0 \|\| =1.2.0-r0 \|\| =1.20.0-r0 \|\| =1.21.0-r0 \|\| =1.21.1-r0 \|\| =1.21.1-r1 \|\| =1.22.0-r0 \|\| =1.23.1-r0 \|\| =1.24.0-r0 \|\| =1.25.0-r0 \|\| =1.26.0-r0 \|\| =1.27.0-r0 \|\| =1.27.0-r1 \|\| =1.28.0-r0 \|\| =1.29.0-r0 \|\| =1.3.0-r0 \|\| =1.3.2-r0 \|\| =1.3.4-r0 \|\| =1.30.0-r0 \|\| =1.31.0-r0 \|\| =1.31.0-r1 \|\| =1.31.1-r0 \|\| =1.32.0-r0 \|\| =1.33.0-r0 \|\| =1.33.0-r1 \|\| =1.34.0-r0 \|\| =1.35.1-r0 \|\| =1.36.0-r0 \|\| =1.37.0-r0 \|\| =1.37.0-r1 \|\| =1.38.0-r0 \|\| =1.39.1-r0 \|\| =1.39.2-r0 \|\| =1.39.2-r1 \|\| =1.39.2-r2 \|\| =1.40.0-r0 \|\| =1.5.0-r0 \|\| =1.6.0-r0 \|\| =1.7.0-r0 \|\| =1.7.1-r0 \|\| =1.8.0-r0 \|\| =1.9.1-r0 \|\| =1.9.2-r0 \|\| >=0 <1.41.0-r0	1.41.0-r0
alpine v3.21	nodejs	>=0 <12.18.0-r0	12.18.0-r0

1-10 of 40

Aliases

1. CVE-2020-110802. NVD-2020-110803. OSV-ALPINE-2020-110804. OSV-2020-110805. OSV-DEBIAN-2020-110806. SECURITY-CVE-2020-110807. SECURITY-TRACKER-CVE-2020-11080

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.