CVE-2020-36400
https://notcve.org/view.php?id=CVE-2020-36400
ZeroMQ libzmq 4.3.3 has a heap-based buffer overflow in zmq::tcp_read, a different vulnerability than CVE-2021-20235. ZeroMQ libzmq versión 4.3.3, presenta un desbordamiento de búfer en la región heap de la memoria en la función zmq::tcp_read, una vulnerabilidad diferente a CVE-2021-20235 • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26042 https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libzmq/OSV-2020-1887.yaml https://github.com/zeromq/libzmq/commit/397ac80850bf8d010fae23dd215db0ee2c677306 • CWE-787: Out-of-bounds Write •
CVE-2021-20237
https://notcve.org/view.php?id=CVE-2021-20237
An uncontrolled resource consumption (memory leak) flaw was found in ZeroMQ's src/xpub.cpp in versions before 4.3.3. This flaw allows a remote unauthenticated attacker to send crafted PUB messages that consume excessive memory if the CURVE/ZAP authentication is disabled on the server, causing a denial of service. The highest threat from this vulnerability is to system availability. Se encontró un fallo de consumo de recursos incontrolado (filtrado de memoria) en el archivo src/xpub.cpp de ZeroMQ en versiones anteriores a 4.3.3. Este fallo permite a un atacante remoto no autenticado enviar mensajes PUB diseñados que consumen memoria excesiva si la autenticación CURVE/ZAP está deshabilitada en el servidor, causando una denegación de servicio. • https://bugzilla.redhat.com/show_bug.cgi?id=1921989 https://github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxw • CWE-400: Uncontrolled Resource Consumption CWE-401: Missing Release of Memory after Effective Lifetime •
CVE-2021-20235
https://notcve.org/view.php?id=CVE-2021-20235
There's a flaw in the zeromq server in versions before 4.3.3 in src/decoder_allocators.hpp. The decoder static allocator could have its sized changed, but the buffer would remain the same as it is a static buffer. A remote, unauthenticated attacker who sends a crafted request to the zeromq server could trigger a buffer overflow WRITE of arbitrary data if CURVE/ZAP authentication is not enabled. The greatest impact of this flaw is to application availability, data integrity, and confidentiality. Se presenta un fallo en el servidor zeromq en versiones anteriores a 4.3.3, en el archivo src/decoder_allocators.hpp. • https://bugzilla.redhat.com/show_bug.cgi?id=1921983 https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVE-2021-20234
https://notcve.org/view.php?id=CVE-2021-20234
An uncontrolled resource consumption (memory leak) flaw was found in the ZeroMQ client in versions before 4.3.3 in src/pipe.cpp. This issue causes a client that connects to multiple malicious or compromised servers to crash. The highest threat from this vulnerability is to system availability. Se encontró un fallo de consumo de recursos no controlado (pérdida de la memoria) en el cliente ZeroMQ en versiones anteriores a 4.3.3, en el archivo src/pipe.cpp. Este problema causa que un cliente que se conecta a múltiples servidores maliciosos o comprometidos se bloquee. • https://bugzilla.redhat.com/show_bug.cgi?id=1921972 https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87 • CWE-400: Uncontrolled Resource Consumption CWE-401: Missing Release of Memory after Effective Lifetime •
CVE-2020-15166 – Denial of Service in ZeroMQ
https://notcve.org/view.php?id=CVE-2020-15166
In ZeroMQ before version 4.3.3, there is a denial-of-service vulnerability. Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are impacted. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them. This is patched in version 4.3.3. • https://github.com/zeromq/libzmq/pull/3913 https://github.com/zeromq/libzmq/pull/3973 https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m https://lists.debian.org/debian-lts-announce/2020/11/msg00017.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZ5IMNQXDB52JFBXHFLK4AHVORFELNNG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YFW2ZELCCPS4VLU4OSJOH5YL6KFKTFYW https://security.gentoo.org/glsa/202009-12 • CWE-400: Uncontrolled Resource Consumption •