CVE-2021-20237
published 2021-05-28CVE-2021-20237: An uncontrolled resource consumption (memory leak) flaw was found in ZeroMQ's src/xpub.cpp in versions before 4.3.3. This flaw allows a remote unauthenticated…
PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.69%
74.2th percentile
An uncontrolled resource consumption (memory leak) flaw was found in ZeroMQ's src/xpub.cpp in versions before 4.3.3. This flaw allows a remote unauthenticated attacker to send crafted PUB messages that consume excessive memory if the CURVE/ZAP authentication is disabled on the server, causing a denial of service. The highest threat from this vulnerability is to system availability.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | zeromq3 | < zeromq3 4.3.3-1 (bookworm) | zeromq3 4.3.3-1 (bookworm) |
| zeromq | libzmq | >= 4.2.0 < 4.3.3 | 4.3.3 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
ZeroMQ vulnerabilities
vendor_ubuntu·2022-06-15·CVSS 9.8
CVE-2020-15166 [CRITICAL] ZeroMQ vulnerabilities
Title: ZeroMQ vulnerabilities
Summary: Several security issues were fixed in ZeroMQ.
It was discovered that ZeroMQ incorrectly handled certain application
metadata. A remote attacker could use this issue to cause ZeroMQ to crash,
or possibly execute arbitrary code. (CVE-2019-13132)
It was discovered that ZeroMQ mishandled certain network traffic. An
unauthenticated attacker could use this vulnerability to cause a denial-of-
service and prevent legitimate clients from communicating with ZeroMQ.
(CVE-2020-15166)
It was discovered that ZeroMQ did not properly manage memory under certain
circumstances. If a user or automated system were tricked into connecting
to one or multiple compromised servers, a remote attacker could use this
issue to cause a denial of service. (CVE-2021-20234)
It w
Debian
CVE-2021-20237: zeromq3 - An uncontrolled resource consumption (memory leak) flaw was found in ZeroMQ's sr...
vendor_debian·2021·CVSS 7.5
CVE-2021-20237 [HIGH] CVE-2021-20237: zeromq3 - An uncontrolled resource consumption (memory leak) flaw was found in ZeroMQ's sr...
An uncontrolled resource consumption (memory leak) flaw was found in ZeroMQ's src/xpub.cpp in versions before 4.3.3. This flaw allows a remote unauthenticated attacker to send crafted PUB messages that consume excessive memory if the CURVE/ZAP authentication is disabled on the server, causing a denial of service. The highest threat from this vulnerability is to system availability.
Scope: local
bookworm: resolved (fixed in 4.3.3-1)
bullseye: resolved (fixed in 4.3.3-1)
forky: resolved (fixed in 4.3.3-1)
sid: resolved (fixed in 4.3.3-1)
trixie: resolved (fixed in 4.3.3-1)
Red Hat
zeromq: Memory leaks via metadata messages processed by PUB sockets
vendor_redhat·2020-09-07·CVSS 7.5
CVE-2021-20237 [HIGH] CWE-400 zeromq: Memory leaks via metadata messages processed by PUB sockets
zeromq: Memory leaks via metadata messages processed by PUB sockets
An uncontrolled resource consumption (memory leak) flaw was found in ZeroMQ's src/xpub.cpp in versions before 4.3.3. This flaw allows a remote unauthenticated attacker to send crafted PUB messages that consume excessive memory if the CURVE/ZAP authentication is disabled on the server, causing a denial of service. The highest threat from this vulnerability is to system availability.
An uncontrolled resource consumption (memory leak) flaw was found in ZeroMQ's src/xpub.cpp. This flaw allows a remote unauthenticated attacker to send crafted PUB messages that consume excessive memory if the CURVE/ZAP authentication is disabled on the server, causing a denial of service. The highest threat from this vulnerability is to system
OSV
zeromq3 vulnerabilities
osv·2022-06-15·CVSS 9.8
CVE-2019-13132 [CRITICAL] zeromq3 vulnerabilities
zeromq3 vulnerabilities
It was discovered that ZeroMQ incorrectly handled certain application
metadata. A remote attacker could use this issue to cause ZeroMQ to crash,
or possibly execute arbitrary code. (CVE-2019-13132)
It was discovered that ZeroMQ mishandled certain network traffic. An
unauthenticated attacker could use this vulnerability to cause a denial-of-
service and prevent legitimate clients from communicating with ZeroMQ.
(CVE-2020-15166)
It was discovered that ZeroMQ did not properly manage memory under certain
circumstances. If a user or automated system were tricked into connecting
to one or multiple compromised servers, a remote attacker could use this
issue to cause a denial of service. (CVE-2021-20234)
It was discovered that ZeroMQ incorrectly handled memory when proc
GHSA
GHSA-98wx-fq4r-jfm2: An uncontrolled resource consumption (memory leak) flaw was found in ZeroMQ's src/xpub
ghsa_unreviewed·2022-05-24
CVE-2021-20237 [HIGH] CWE-400 GHSA-98wx-fq4r-jfm2: An uncontrolled resource consumption (memory leak) flaw was found in ZeroMQ's src/xpub
An uncontrolled resource consumption (memory leak) flaw was found in ZeroMQ's src/xpub.cpp in versions before 4.3.3. This flaw allows a remote unauthenticated attacker to send crafted PUB messages that consume excessive memory if the CURVE/ZAP authentication is disabled on the server, causing a denial of service. The highest threat from this vulnerability is to system availability.
OSV
CVE-2021-20237: An uncontrolled resource consumption (memory leak) flaw was found in ZeroMQ's src/xpub
osv·2021-05-28·CVSS 7.5
CVE-2021-20237 [HIGH] CVE-2021-20237: An uncontrolled resource consumption (memory leak) flaw was found in ZeroMQ's src/xpub
An uncontrolled resource consumption (memory leak) flaw was found in ZeroMQ's src/xpub.cpp in versions before 4.3.3. This flaw allows a remote unauthenticated attacker to send crafted PUB messages that consume excessive memory if the CURVE/ZAP authentication is disabled on the server, causing a denial of service. The highest threat from this vulnerability is to system availability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-05-28
Published