CVE-2020-15166
HIGHlibzmq < 4.3.3 - Denial of Service via TCP Transport Endpoint
Title source: llmDescription
In ZeroMQ before version 4.3.3, there is a denial-of-service vulnerability. Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are impacted. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them. This is patched in version 4.3.3.
References (7)
Core 7
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m
Patch, Third Party Advisory x_refsource_misc
https://github.com/zeromq/libzmq/pull/3913
Patch, Third Party Advisory x_refsource_misc
https://github.com/zeromq/libzmq/pull/3973
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202009-12
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZ5IMNQXDB52JFBXHFLK4AHVORFELNNG/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YFW2ZELCCPS4VLU4OSJOH5YL6KFKTFYW/
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/11/msg00017.html
Scores
CVSS v3
7.5
EPSS
0.0341
EPSS Percentile
87.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-400
Status
published
Products (4)
debian/debian_linux
9.0
fedoraproject/fedora
32
fedoraproject/fedora
33
zeromq/libzmq
< 4.3.3
Published
Sep 11, 2020
Tracked Since
Feb 18, 2026