Denial of Service : nghttp2 < 1.41.0 DoS Vulnerability

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.144089

Categoría: Denial of Service

Título: nghttp2 < 1.41.0 DoS Vulnerability

Resumen: nghttpd2 is prone to a denial of service vulnerability due to when; receiving an overly large HTTP/2 SETTINGS frame payload.

Descripción: Summary:
nghttpd2 is prone to a denial of service vulnerability due to when
receiving an overly large HTTP/2 SETTINGS frame payload.

Vulnerability Insight:
The proof of concept attack involves a malicious client constructing a
SETTINGS frame with a length of 14400 bytes (2400 individual settings entries) over and over again. The
attack causes the CPU to spike at 100%.

Affected Software/OS:
nghttpd2 versions prior to 1.41.0.

Solution:
Update to version 1.41.0 or later.

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2020-11080
https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr
Debian Security Information: DSA-4696 (Google Search)
https://www.debian.org/security/2020/dsa-4696
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AAC2AA36OTRHKSVM5OV7TTVB3CZIGEFL/
https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090
https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://lists.debian.org/debian-lts-announce/2021/10/msg00011.html
https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html
SuSE Security Announcement: openSUSE-SU-2020:0802 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html

Copyright Copyright (C) 2020 Greenbone Networks GmbH

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.144089
Categoría:	Denial of Service
Título:	nghttp2 < 1.41.0 DoS Vulnerability
Resumen:	nghttpd2 is prone to a denial of service vulnerability due to when; receiving an overly large HTTP/2 SETTINGS frame payload.
Descripción:	Summary: nghttpd2 is prone to a denial of service vulnerability due to when receiving an overly large HTTP/2 SETTINGS frame payload. Vulnerability Insight: The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. Affected Software/OS: nghttpd2 versions prior to 1.41.0. Solution: Update to version 1.41.0 or later. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2020-11080 https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr Debian Security Information: DSA-4696 (Google Search) https://www.debian.org/security/2020/dsa-4696 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AAC2AA36OTRHKSVM5OV7TTVB3CZIGEFL/ https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090 https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394 https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujan2021.html https://www.oracle.com/security-alerts/cpujul2020.html https://www.oracle.com/security-alerts/cpuoct2020.html https://lists.debian.org/debian-lts-announce/2021/10/msg00011.html https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html SuSE Security Announcement: openSUSE-SU-2020:0802 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html
Copyright	Copyright (C) 2020 Greenbone Networks GmbH