Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Denial of service in nghttp2
Vulnerability Description
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Vulnerability Type
对消息或数据结构的处理不恰当
Vulnerability Title
HTTP/2 资源管理错误漏洞
Vulnerability Description
HTTP/2是超文本传输协议的第二版,主要用于保证客户机与服务器之间的通信。 HTTP/2 1.41.0之前版本中存在资源管理错误漏洞。攻击者可借助恶意的客户端构建14,400字节长度的SETTINGS帧利用该漏洞造成拒绝服务。
CVSS Information
N/A
Vulnerability Type
N/A