CVE-2021-20235

Published: 4/1/2021 Last updated: 8/3/2024 Reserved: 12/17/2020

There's a flaw in the zeromq server in versions before 4.3.3 in src/decoder_allocators.hpp. The decoder static allocator could have its sized changed, but the buffer would remain the same as it is a static buffer. A remote, unauthenticated attacker who sends a crafted request to the zeromq server could trigger a buffer overflow WRITE of arbitrary data if CURVE/ZAP authentication is not enabled. The greatest impact of this flaw is to application availability, data integrity, and confidentiality.

CNA assigner: redhat (53f830b8-0a3f-465b-8143-3b8a9948e749) Requested by: n/a

Opam packages affected (1)

conf-zmq

Products affected (1)

Product	Vendor	Version
zeromq	n/a	QCA6574

References (4)

https://bugzilla.redhat.com/show_bug.cgi?id=1921983
https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6
https://bugzilla.redhat.com/show_bug.cgi?id=1921983
https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6