CVE-2020-15166

Published: Sep 11, 2020Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

In ZeroMQ before version 4.3.3, there is a denial-of-service vulnerability. Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are impacted. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them. This is patched in version 4.3.3.

Affected (4)

Products: Zeromq: Libzmq · Fedoraproject: Fedora · Debian: Debian Linux

1 product

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Zeromq Libzmq	Before 4.3.3

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 32
Fedoraproject Fedora	Version 33

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 9.0

Related CWEs

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References (14)

https://github.com/zeromq/libzmq/pull/3913

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/zeromq/libzmq/pull/3973

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m

Source: security-advisories@github.com

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2020/11/msg00017.html

Source: security-advisories@github.com

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZ5IMNQXDB52JFBXHFLK4AHVORFELNNG/

Source: security-advisories@github.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YFW2ZELCCPS4VLU4OSJOH5YL6KFKTFYW/

Source: security-advisories@github.com

https://security.gentoo.org/glsa/202009-12

Source: security-advisories@github.com

Third Party Advisory

https://github.com/zeromq/libzmq/pull/3913

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/zeromq/libzmq/pull/3973

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2020/11/msg00017.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZ5IMNQXDB52JFBXHFLK4AHVORFELNNG/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YFW2ZELCCPS4VLU4OSJOH5YL6KFKTFYW/

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.gentoo.org/glsa/202009-12

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.