{"containers": {"cna": {"affected": [{"product": "libzmq", "vendor": "zeromq", "versions": [{"status": "affected", "version": "< 4.3.3"}]}], "descriptions": [{"lang": "en", "value": "In ZeroMQ before version 4.3.3, there is a denial-of-service vulnerability. Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are impacted. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them. This is patched in version 4.3.3."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-11-10T16:06:15", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/zeromq/libzmq/pull/3913"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/zeromq/libzmq/pull/3973"}, {"name": "GLSA-202009-12", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202009-12"}, {"name": "FEDORA-2020-08402f4071", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZ5IMNQXDB52JFBXHFLK4AHVORFELNNG/"}, {"name": "FEDORA-2020-5460fcf6bd", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YFW2ZELCCPS4VLU4OSJOH5YL6KFKTFYW/"}, {"name": "[debian-lts-announce] 20201110 [SECURITY] [DLA 2443-1] zeromq3 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00017.html"}], "source": {"advisory": "GHSA-25wp-cf8g-938m", "discovery": "UNKNOWN"}, "title": "Denial of Service in ZeroMQ", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15166", "STATE": "PUBLIC", "TITLE": "Denial of Service in ZeroMQ"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "libzmq", "version": {"version_data": [{"version_value": "< 4.3.3"}]}}]}, "vendor_name": "zeromq"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In ZeroMQ before version 4.3.3, there is a denial-of-service vulnerability. Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are impacted. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them. This is patched in version 4.3.3."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400 Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m", "refsource": "CONFIRM", "url": "https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m"}, {"name": "https://github.com/zeromq/libzmq/pull/3913", "refsource": "MISC", "url": "https://github.com/zeromq/libzmq/pull/3913"}, {"name": "https://github.com/zeromq/libzmq/pull/3973", "refsource": "MISC", "url": "https://github.com/zeromq/libzmq/pull/3973"}, {"name": "GLSA-202009-12", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202009-12"}, {"name": "FEDORA-2020-08402f4071", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZ5IMNQXDB52JFBXHFLK4AHVORFELNNG/"}, {"name": "FEDORA-2020-5460fcf6bd", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YFW2ZELCCPS4VLU4OSJOH5YL6KFKTFYW/"}, {"name": "[debian-lts-announce] 20201110 [SECURITY] [DLA 2443-1] zeromq3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00017.html"}]}, "source": {"advisory": "GHSA-25wp-cf8g-938m", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:08:22.367Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/zeromq/libzmq/pull/3913"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/zeromq/libzmq/pull/3973"}, {"name": "GLSA-202009-12", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202009-12"}, {"name": "FEDORA-2020-08402f4071", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZ5IMNQXDB52JFBXHFLK4AHVORFELNNG/"}, {"name": "FEDORA-2020-5460fcf6bd", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YFW2ZELCCPS4VLU4OSJOH5YL6KFKTFYW/"}, {"name": "[debian-lts-announce] 20201110 [SECURITY] [DLA 2443-1] zeromq3 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00017.html"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15166", "datePublished": "2020-09-11T15:35:14", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2024-08-04T13:08:22.367Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zeromq:libzmq:*:*:*:*:*:*:*:*", "matchCriteriaId": "BE196820-680A-400C-A492-22819F5CABB5", "versionEndExcluding": "4.3.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In ZeroMQ before version 4.3.3, there is a denial-of-service vulnerability. Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are impacted. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them. This is patched in version 4.3.3."}, {"lang": "es", "value": "En ZeroMQ versiones anteriores a 4.3.3, se presenta una vulnerabilidad de denegaci\u00f3n de servicio.&#xa0;Los usuarios con endpoints p\u00fablicos de transporte TCP, incluso con CURVE/ZAP habilitado, est\u00e1n afectados.&#xa0;Si es abierto un socket TCP sin procesar y es conectado a un endpoint que est\u00e1 completamente configurado con CURVE/ZAP, los clientes leg\u00edtimos no podr\u00e1n ser capaces de intercambiar ning\u00fan mensaje.&#xa0;Los Protocolos de Enlace se completan correctamente y los mensajes son enviados a la biblioteca, pero la aplicaci\u00f3n del servidor nunca los recibe.&#xa0;Esto est\u00e1 parcheado en la versi\u00f3n 4.3.3"}], "id": "CVE-2020-15166", "lastModified": "2023-11-07T03:17:26.337", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-09-11T16:15:12.177", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/zeromq/libzmq/pull/3913"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/zeromq/libzmq/pull/3973"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00017.html"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZ5IMNQXDB52JFBXHFLK4AHVORFELNNG/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YFW2ZELCCPS4VLU4OSJOH5YL6KFKTFYW/"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202009-12"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "zeromq: unauthenticated clients causing denial-of-service", "id": "1875223", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875223"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-400", "details": ["In ZeroMQ before version 4.3.3, there is a denial-of-service vulnerability. Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are impacted. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them. This is patched in version 4.3.3.", "A flaw was found in ZeroMQ, where the possibility of unauthenticated clients causes a denial of service that affects authenticated and encrypted clients. The highest threat from this vulnerability is to system availability."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2020-15166", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "zeromq3", "product_name": "Red Hat Ceph Storage 2"}], "public_date": "2020-09-07T16:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-15166\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-15166\nhttps://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m"], "statement": "Red Hat Ceph Storage 2 is now in the Extended Life Support (ELS) Phase of the support and maintenance life cycle and receives only qualified Important and Critical impact security fixes. This issue has been rated as having a security impact of Moderate and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Ceph Storage Life Cycle: https://access.redhat.com/articles/1372203", "threat_severity": "Moderate", "upstream_fix": "libzmq 4.3.3"}