CPE-D3941666-4454-4FB4-AFE6-104243B75B60 Detail

CPE Details

nghttp2 1.29.0

Vendor

nghttp2

Product

nghttp2

Version

1.29.0

Created

2018-06-13
12h09 +00:00

Modified

2018-06-13
12h09 +00:00

Official links

CPE NVD

Alerte pour un CPE

Stay informed of any changes for a specific CPE.

Notifications manage

List of Notifications

Alerte pour un CPE

Stay informed of any changes for a specific CPE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

CPE ID

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

CPE Name: cpe:2.3:a:nghttp2:nghttp2:1.29.0:::::::*

Informations

Vendor

nghttp2

Product

nghttp2

Version

1.29.0

Related CVE

Open and find in CVE List

CVE ID	Published	Description	Score	Severity
CVE-2023-44487	2023-10-09 22h00 +00:00	The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.	7.5	High
CVE-2023-35945	2023-07-13 20h41 +00:00	Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the `GOAWAY` frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to `GOAWAY` frame. The clean-up code is right after the return statement, causing memory leak. Denial of service through memory exhaustion. This vulnerability was patched in versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.	7.5	High
CVE-2020-11080	2020-06-02 22h00 +00:00	In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.	7.5	High
CVE-2018-1000168	2018-05-08 13h00 +00:00	nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1.	7.5	High

nghttp2 1.29.0

CPE Details

CPE Name: cpe:2.3:a:nghttp2:nghttp2:1.29.0:*:*:*:*:*:*:*

Informations

Vendor

Product

Version

Related CVE

CPE Name: cpe:2.3:a:nghttp2:nghttp2:1.29.0:::::::*