VDB
CVE-2020-15166
CVE-2020-15166
PUBLISHED
In ZeroMQ before version 4.3.3, there is a denial-of-service vulnerability. Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are impacted. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them. This is patched in version 4.3.3.
EPSS 0.41% · 61.7th percentile
Risk Scores
EPSS Score
0.41%
61.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:18.04:LTS | zeromq3 | 4.2.1-4ubuntu1, 4.2.5-1ubuntu0.1, 4.2.3-1 |
| Ubuntu:Pro:16.04:LTS | zeromq3 | 4.0.5+dfsg-3ubuntu1~gcc5.1, 4.1.4-7, 4.1.4-7ubuntu0.1 |
| Ubuntu:Pro:20.04:LTS | zeromq3 | 4.3.2-2ubuntu1, 0, 4.3.2-1 |
| Ubuntu:Pro:14.04:LTS | zeromq3 | 4.0.3+dfsg-1, 3.2.4+dfsg-4, 3.2.4+dfsg-3 |
Timeline
- Sep 11, 2020 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 22, 2021 EPSS Score
- Oct 25, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 2, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Jan 7, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2020-15166 third-party-advisory
- https://www.openwall.com/lists/oss-security/2020/09/07/3 third-party-advisory
- https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m third-party-advisory
- https://github.com/zeromq/libzmq/commit/e7f0090b161ce6344f6bd35009816a925c070b09 third-party-advisory
- https://ubuntu.com/security/notices/USN-4920-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2020-15166 third-party-advisory