Vulnerability Details CVE-2021-20235
There's a flaw in the zeromq server in versions before 4.3.3 in src/decoder_allocators.hpp. The decoder static allocator could have its sized changed, but the buffer would remain the same as it is a static buffer. A remote, unauthenticated attacker who sends a crafted request to the zeromq server could trigger a buffer overflow WRITE of arbitrary data if CURVE/ZAP authentication is not enabled. The greatest impact of this flaw is to application availability, data integrity, and confidentiality.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.056
EPSS Ranking 89.8%
CVSS Severity
CVSS v3 Score 8.1
CVSS v2 Score 6.8
References
Products affected by CVE-2021-20235
-
cpe:2.3:a:zeromq:libzmq:4.2.0
-
cpe:2.3:a:zeromq:libzmq:4.2.1
-
cpe:2.3:a:zeromq:libzmq:4.2.2
-
cpe:2.3:a:zeromq:libzmq:4.2.3
-
cpe:2.3:a:zeromq:libzmq:4.2.4
-
cpe:2.3:a:zeromq:libzmq:4.2.5
-
cpe:2.3:a:zeromq:libzmq:4.3.0
-
cpe:2.3:a:zeromq:libzmq:4.3.1
-
cpe:2.3:a:zeromq:libzmq:4.3.2