CVE-2019-13132

Vulnerability Description

In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. Users running public servers with the above configuration are highly encouraged to upgrade as soon as possible, as there are no known mitigations.

CVSS Score

Affected Products

Related Weaknesses (CWE)

References

• http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00033.htmlBroken Link
• http://www.openwall.com/lists/oss-security/2019/07/08/6Mailing ListRelease NotesThird Party Advisory
• http://www.securityfocus.com/bid/109284Broken LinkThird Party AdvisoryVDB Entry
• https://fangpenlin.com/posts/2024/04/07/how-i-discovered-a-9-point-8-critical-se
• https://github.com/zeromq/libzmq/issues/3558Third Party Advisory
• https://github.com/zeromq/libzmq/releasesRelease NotesThird Party Advisory
• https://lists.debian.org/debian-lts-announce/2019/07/msg00007.htmlMailing ListThird Party Advisory
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
• https://news.ycombinator.com/item?id=39970716
• https://seclists.org/bugtraq/2019/Jul/13Mailing ListThird Party Advisory
• https://security.gentoo.org/glsa/201908-17Third Party Advisory
• https://usn.ubuntu.com/4050-1/Third Party Advisory
• https://www.debian.org/security/2019/dsa-4477Third Party Advisory