CVE-2021-20237 — Uncontrolled Resource Consumption in Libzmq

CWE-400 — Uncontrolled Resource Consumption CWE-401 — Missing Release of Memory after Effective Lifetime8 documents7 sources

Severity

7.5HIGHNVD

OSV9.8

EPSS

3.5%

top 12.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zeromq Libzmq Zeromq

Timeline

PublishedMay 28

Latest updateJun 15

Description

An uncontrolled resource consumption (memory leak) flaw was found in ZeroMQ's src/xpub.cpp in versions before 4.3.3. This flaw allows a remote unauthenticated attacker to send crafted PUB messages that consume excessive memory if the CURVE/ZAP authentication is disabled on the server, causing a denial of service. The highest threat from this vulnerability is to system availability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDzeromq/libzmq4.2.0 — 4.3.3

▶CVEListV5zeromq/zeromqzeromq 4.3.3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

zeromq3 vulnerabilities↗2022-06-15

▶

GHSA

GHSA-98wx-fq4r-jfm2: An uncontrolled resource consumption (memory leak) flaw was found in ZeroMQ's src/xpub↗2022-05-24

▶

CVEList

CVE-2021-20237: An uncontrolled resource consumption (memory leak) flaw was found in ZeroMQ's src/xpub↗2021-05-28

▶

OSV

CVE-2021-20237: An uncontrolled resource consumption (memory leak) flaw was found in ZeroMQ's src/xpub↗2021-05-28

▶

📋Vendor Advisories

Ubuntu

ZeroMQ vulnerabilities↗2022-06-15

▶

Debian

CVE-2021-20237: zeromq3 - An uncontrolled resource consumption (memory leak) flaw was found in ZeroMQ's sr...↗2021

▶

Red Hat

zeromq: Memory leaks via metadata messages processed by PUB sockets↗2020-09-07

▶