CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-20234
https://notcve.org/view.php?id=CVE-2021-20234
An uncontrolled resource consumption (memory leak) flaw was found in the ZeroMQ client in versions before 4.3.3 in src/pipe.cpp. This issue causes a client that connects to multiple malicious or compromised servers to crash. The highest threat from this vulnerability is to system availability. Se encontró un fallo de consumo de recursos no controlado (pérdida de la memoria) en el cliente ZeroMQ en versiones anteriores a 4.3.3, en el archivo src/pipe.cpp. Este problema causa que un cliente que se conecta a múltiples servidores maliciosos o comprometidos se bloquee. • https://bugzilla.redhat.com/show_bug.cgi?id=1921972 https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87 • CWE-400: Uncontrolled Resource Consumption CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.5EPSS: 1%CPEs: 4EXPL: 0CVE-2020-15166 – Denial of Service in ZeroMQ
https://notcve.org/view.php?id=CVE-2020-15166
In ZeroMQ before version 4.3.3, there is a denial-of-service vulnerability. Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are impacted. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them. This is patched in version 4.3.3. • https://github.com/zeromq/libzmq/pull/3913 https://github.com/zeromq/libzmq/pull/3973 https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m https://lists.debian.org/debian-lts-announce/2020/11/msg00017.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZ5IMNQXDB52JFBXHFLK4AHVORFELNNG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YFW2ZELCCPS4VLU4OSJOH5YL6KFKTFYW https://security.gentoo.org/glsa/202009-12 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.8EPSS: 54%CPEs: 12EXPL: 0CVE-2019-13132
https://notcve.org/view.php?id=CVE-2019-13132
In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. Users running public servers with the above configuration are highly encouraged to upgrade as soon as possible, as there are no known mitigations. En ZeroMQ libzmq anterior a versión 4.0.9, versiones 4.1.x anteriores a 4.1.7, y versiones 4.2.x anteriores a 4.3.2, un cliente no identificado remoto que se conecta a una aplicación libzmq, ejecutándose con un socket de escucha con el cifrado y autenticación CURVE habilitado, puede causar un desbordamiento de pila y sobreescritura de pila con datos arbitrarios, debido a un desbordamiento de búfer en la biblioteca. Se exhorta a los usuarios que ejecutan servidores públicos con la configuración anterior que realicen su actualización lo antes posible, ya que no existen mitigaciones conocidas. • http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00033.html http://www.openwall.com/lists/oss-security/2019/07/08/6 http://www.securityfocus.com/bid/109284 https://fangpenlin.com/posts/2024/04/07/how-i-discovered-a-9-point-8-critical-security-vulnerability-in-zeromq-with-mostly-pure-luck https://github.com/zeromq/libzmq/issues/3558 https://github.com/zeromq/libzmq/releases https://lists.debian.org/debian-lts-announce/2019/07/msg00007.html https://lists.fedoraproject • CWE-787: Out-of-bounds Write •