5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.014 Low
EPSS
Percentile
86.4%
In ZeroMQ before version 4.3.3, there is a denial-of-service vulnerability.
Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are
impacted. If a raw TCP socket is opened and connected to an endpoint that
is fully configured with CURVE/ZAP, legitimate clients will not be able to
exchange any message. Handshakes complete successfully, and messages are
delivered to the library, but the server application never receives them.
This is patched in version 4.3.3.
github.com/zeromq/libzmq/commit/e7f0090b161ce6344f6bd35009816a925c070b09
github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m
launchpad.net/bugs/cve/CVE-2020-15166
nvd.nist.gov/vuln/detail/CVE-2020-15166
security-tracker.debian.org/tracker/CVE-2020-15166
ubuntu.com/security/notices/USN-4920-1
www.cve.org/CVERecord?id=CVE-2020-15166
www.openwall.com/lists/oss-security/2020/09/07/3
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.014 Low
EPSS
Percentile
86.4%