CVE-2021-20237
First published: Fri Jan 29 2021(Updated: )
A flaw was found in zeromq before 4.3.3. Messages with metadata are never processed by PUB sockets, but the metadata is kept referenced in the PUB object and never freed leading to memory leaks. References: <a href="https://github.com/zeromq/libzmq/pull/3935">https://github.com/zeromq/libzmq/pull/3935</a> <a href="https://github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxw">https://github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxw</a> <a href="https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22344">https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22344</a>
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ZeroMQ libzmq | >=4.2.0<4.3.3 | |
| redhat/zeromq | <4.3.3 | 4.3.3 |
| debian/zeromq3 | 4.3.4-1+deb11u1 4.3.4-6 4.3.5-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1921989
- https://github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxw
- https://launchpad.net/bugs/cve/CVE-2021-20237
- https://github.com/zeromq/libzmq/pull/3935
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22344
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1921994
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1921992
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1921993
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1921990
- https://bodhi.fedoraproject.org/updates/FEDORA-2021-a01e258e6d
- https://security-tracker.debian.org/tracker/CVE-2021-20237
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20237
- https://nvd.nist.gov/vuln/detail/CVE-2021-20237
- https://ubuntu.com/security/CVE-2021-20237
Frequently Asked Questions
What is the vulnerability ID for this ZeroMQ vulnerability?
The vulnerability ID for this ZeroMQ vulnerability is CVE-2021-20237.
What is the severity rating of CVE-2021-20237?
CVE-2021-20237 has a severity rating of 7.5 (high).
How does CVE-2021-20237 impact ZeroMQ?
CVE-2021-20237 is an uncontrolled resource consumption (memory leak) flaw that allows a remote unauthenticated attacker to send crafted messages, consuming excessive memory if the CURVE/ZAP authentication is disabled on the ZeroMQ server.
Which versions of ZeroMQ are affected by CVE-2021-20237?
Versions before 4.3.3 of ZeroMQ are affected by CVE-2021-20237.
How can I fix CVE-2021-20237?
To fix CVE-2021-20237, upgrade ZeroMQ to version 4.3.3 or later.
- collector/nvd-index
- agent/weakness
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-20237
- agent/severity
- collector/security-tracker-debian
- source/Debian
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/remedy
- agent/references
- agent/softwarecombine
- agent/description
- agent/event
- agent/tags
- agent/trending
- vendor/zeromq
- canonical/zeromq libzmq
- version/zeromq libzmq/4.2.0
- package-manager/redhat
- package-manager/debian