QwikSec

Security Database

CVE

CWE

Training

CVE-2020-15166

Published: Sep 11, 2020

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

In ZeroMQ before version 4.3.3, there is a denial-of-service vulnerability. Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are impacted. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them. This is patched in version 4.3.3.

Vendor	Product	Versions
zeromq	libzmq	affected `< 4.3.3`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m

x_refsource_CONFIRM

https://github.com/zeromq/libzmq/pull/3913

x_refsource_MISC

https://github.com/zeromq/libzmq/pull/3973

x_refsource_MISC

vendor-advisory

x_refsource_GENTOO

FEDORA-2020-08402f4071

vendor-advisory

x_refsource_FEDORA

FEDORA-2020-5460fcf6bd

vendor-advisory

x_refsource_FEDORA

[debian-lts-announce] 20201110 [SECURITY] [DLA 2443-1] zeromq3 security update

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.