CVE-2021-20237

Published: May 28, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An uncontrolled resource consumption (memory leak) flaw was found in ZeroMQ's src/xpub.cpp in versions before 4.3.3. This flaw allows a remote unauthenticated attacker to send crafted PUB messages that consume excessive memory if the CURVE/ZAP authentication is disabled on the server, causing a denial of service. The highest threat from this vulnerability is to system availability.

Affected (1)

Products: Zeromq: Libzmq

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Zeromq Libzmq	From 4.2.0 to 4.3.3

Related CWEs

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

References (4)

https://bugzilla.redhat.com/show_bug.cgi?id=1921989

Source: secalert@redhat.com

Issue TrackingThird Party Advisory

https://github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxw

Source: secalert@redhat.com

PatchThird Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1921989

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

https://github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxw

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.