Vulnerability Description
In ZeroMQ before version 4.3.3, there is a denial-of-service vulnerability. Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are impacted. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them. This is patched in version 4.3.3.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zeromq | Libzmq | < 4.3.3 |
| Fedoraproject | Fedora | 32 |
| Debian | Debian Linux | 9.0 |
Related Weaknesses (CWE)
References
- https://github.com/zeromq/libzmq/pull/3913PatchThird Party Advisory
- https://github.com/zeromq/libzmq/pull/3973PatchThird Party Advisory
- https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938mPatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/11/msg00017.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202009-12Third Party Advisory
- https://github.com/zeromq/libzmq/pull/3913PatchThird Party Advisory
- https://github.com/zeromq/libzmq/pull/3973PatchThird Party Advisory
- https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938mPatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/11/msg00017.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202009-12Third Party Advisory
FAQ
What is CVE-2020-15166?
CVE-2020-15166 is a vulnerability with a CVSS score of 7.5 (HIGH). In ZeroMQ before version 4.3.3, there is a denial-of-service vulnerability. Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are impacted. If a raw TCP socket is opened and conn...
How severe is CVE-2020-15166?
CVE-2020-15166 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-15166?
Check the references section above for vendor advisories and patch information. Affected products include: Zeromq Libzmq, Fedoraproject Fedora, Debian Debian Linux.